Re: SSL alert number 48

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 04/12/17 09:10, wizard2010@xxxxxxxxx wrote:
Hi ,

Please see in attach the files that I'm using.

I've just taken a look at your certificates and they've not been generated correctly:

$ openssl x509 -subject -issuer -noout -in ca.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:52:34 2017 GMT
notAfter=Nov 27 11:52:34 2018 GMT
serial=A1E0F7319AAD90C0

$ openssl x509 -subject -issuer -noout -in client.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:53:16 2017 GMT
notAfter=Nov 27 11:53:16 2018 GMT
serial=01

$ openssl x509 -subject -issuer -noout -in server.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:52:55 2017 GMT
notAfter=Nov 27 11:52:55 2018 GMT
serial=01


that is, the subject and issuer of the CA, server and client certs are all the same ; also, the serial number of both client and server certificates are the same.
You will need to alter the way you generate your certificates so that there is a clear distinction between CA, server and client cert.

HTH,

JJK


I generate the certificates with the following commands:

  1. ## Create CA
  2. openssl genrsa -out ca.key 4096
  3. openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  4. openssl x509 -in ca.crt -out ca.pem -outform PEM

  1. ## Create the Server Key and CSR
  2. openssl genrsa -out server.key 4096
  3. openssl req -new -key server.key -out server.csr
  4. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
  5. openssl x509 -in server.crt -out server.pem -outform PEM

  1. ## Create the Client Key and CSR
  2. openssl genrsa -out client.key 4096
  3. openssl req -new -key client.key -out client.csr
  4. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  5. openssl x509 -in client.crt -out client.pem -outform PEM

I left the default value of each question that openssl ask when it's creating the certificates like Country, City, CN, etc. Like this way:
openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
Thanks.
Kind regards.


On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
Hi,

On 29/11/17 14:37, wizard2010@xxxxxxxxx wrote:
Hi JJK,

I test you function and I've got this result:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?


 what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn@example.com
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly. 
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates.

HTH,

JJK




On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
Hi,

On 28/11/17 11:03, wizard2010@xxxxxxxxx wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK





-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux