TLS/SRTP woes (ssl_sock_ossl.c::verify_cb returns error code 20)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Nanang,


Thanks for your response. My comments follow below:
> I'm no SSL expert, just trying to shoot in the dark here. It may be
> caused by incomplete cert chain in the verification stage. A complete
> cert chain: root CA -> intermediate CA(s) -> your server cert.
That is a possibility (the CA in question is NOT a root CA indeed), but 
if that was the case why am I getting error 20 and not one of the 
EUNTRUSTED* errors. I am getting error 27 (which is what should have 
happened if the CA certificate is not trusted), but *only* after I get 
error 20 ("local certificate file cannot be loaded" or something to that 
effect - I do not have the X509 error codes with me at present), which, 
if you think about it, makes perfect sense because if the CA certificate 
cannot be loaded, then the whole chain cannot be verified, thus issuing 
error code 27 makes perfect sense.

The question is - why do I get error 20, given that the file is present, 
I can't see the file (or directory) permissions to be the problem? I am 
baffled what could be the cause of this?

I searched for any references for this kind of error, but the only thing 
I could find is if the local verification function is called after the 
ssl connection is established, which doesn't appear to be the case here.

Also, when I use my certificate "matching" verify callback function (the 
one I designed and placed in ssl_sock_ossl.c instead of verify_cb) I 
don't get this error - I can load the certificates - both the server 
certificate as well as the certificate of the CA who signed it - without 
any problems. Something isn't right!

>  Perhaps
> you can try http://www.ssltool.com/?action=sslCheckOpenSSL to check if
> the server installation is fine.
I use openssl for that - there is a special function in openssl (the 
userspace program) which verifies the whole certificate chain.

>  If it is, recheck your CA file
> (should contain the root CA cert). If not (server problem), you may
> need to put the intermediate CA cert(s) along with root CA in your CA
> file.
>   
I will try that, but as I already pointed out above - if certificate 
verification is the problem, I should not be getting error 20...
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux