Hi ,
Please see in attach the files that I'm using.
I generate the certificates with the following commands:
- ## Create CA
- openssl genrsa -out ca.key 4096
- openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- openssl x509 -in ca.crt -out ca.pem -outform PEM
- ## Create the Server Key and CSR
- openssl genrsa -out server.key 4096
- openssl req -new -key server.key -out server.csr
- openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
- openssl x509 -in server.crt -out server.pem -outform PEM
- ## Create the Client Key and CSR
- openssl genrsa -out client.key 4096
- openssl req -new -key client.key -out client.csr
- openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
- openssl x509 -in client.crt -out client.pem -outform PEM
I left the default value of each question that openssl ask when it's creating the certificates like Country, City, CN, etc. Like this way:
openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
Thanks.
Kind regards.
On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
Hi,
On 29/11/17 14:37, wizard2010@xxxxxxxxx wrote:
Hi JJK,
I test you function and I've got this result:ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Why I see this 2 time?When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?
what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.
Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn@example.com
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1
so I suspect that your ca.crt on the server side is not specified correctly.
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates.
HTH,
JJK
On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
Hi,
On 28/11/17 11:03, wizard2010@xxxxxxxxx wrote:
Now you've effectively disabled all security :)Hi there.
I guess my problem is really related to verify callback on SSL_CTX_set_verify function.I just add to my code a dummy callback returning 1 and everything works properly.
int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
printf("Verification callback OK!\n");
return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CER ...T, dtls_verify_callback);
The problem is that error don't tell much information about what's really going on or what's really missing.Thanks for your help.
Try adding this to the verify_callback
static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
X509 *cert = NULL;
char *cert_DN = NULL;
printf("ok = %d\n", ok);
cert = X509_STORE_CTX_get_current_cert(ctx);
cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
printf( "cert DN: %s\n", cert_DN);
}
that way, you will know whether your server is processing the right certificate chain.
HTH,
JJK
Attachment:
ca.crt
Description: application/pkix-cert
Attachment:
ca.key
Description: application/iwork-keynote-sffkey
Attachment:
ca.pem
Description: application/x509-ca-cert
Attachment:
client.crt
Description: application/pkix-cert
Attachment:
client.csr
Description: application/pkcs10
Attachment:
client.key
Description: application/iwork-keynote-sffkey
Attachment:
client.pem
Description: application/x509-ca-cert
Attachment:
server.crt
Description: application/pkix-cert
Attachment:
server.csr
Description: application/pkcs10
Attachment:
server.key
Description: application/iwork-keynote-sffkey
Attachment:
server.pem
Description: application/x509-ca-cert
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users