Hello,
I've encountered some problems using the OpenSSL toolkit. Unfortunately,
I cannot seem to find the right answers, and I'm hoping if there's anyone
out there able to help me.
Using OpenSSL-0.9.5a and compiling with both Borland C++ & Linux/G++ and
they share the same problems!
1. VerifyCallback cannot use X509_xxx functions. This is just taken from
the apps source of the OpenSSL-0.9.5a distribution. How or why it is not
working properly I cannot tell.
static int VerifyCallback(int aniState,
X509_STORE_CTX *apSubjectCTX,
X509_STORE_CTX *apIssuerCTX,
int aniDepth,
int aniError)
{
char sTxt[256]="";
// This causes hidden SISEGV and in Windows CGL Problems!!!
// Generate SIGSEGV in Linux
// rErrCert = X509_STORE_CTX_get_current_cert(apCTX);
// iError = X509_STORE_CTX_get_error(apCTX);
// iDepth - X509_STORE_CTX_get_error_depth(apCTX);
// X509_NAME_oneline(X509_get_subject_name(rErrCert),sTxt,sizeof(sTxt));
// cDebug->Log(MODULE_ID,"Verify CB: Depth=%d Subject=%s",iDepth,sTxt);
cDebug->Log(MODULE_ID,"Verify CB: Depth=%d",aniDepth);
if (!aniState) // ==1 if certs are valid
{
cDebug->Log(MODULE_ID,"Verify CB: Error %d -> %s",
aniError,X509_verify_cert_error_string(aniError));
switch (aniError)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(apSubjectCTX->current_cert),sTxt,sizeof(sTxt));
cDebug->Log(MODULE_ID,"Verify CB: Unable to get issuer certificate %s",sTxt);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
cDebug->Log(MODULE_ID,"Verify CB: Certificate not valid yet!");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
cDebug->Log(MODULE_ID,"Verify CB: Certificate has expired!");
break;
}
}
cDebug->Log(MODULE_ID,"Verify CB: Returning: %d",aniState);
return aniState;
}
2. Because the application has to be automated, consoleinput is not wanted.
Using this callback also messes up:
static int KeyCallback(char *sBuffer,int aniMaxLength,int aniRWFlag,void *pUserData)
{
char *sPassPhrase=(char*)gOptions["PassPhrase"];
int iLength=max(strlen(sPassPhrase),aniMaxLength);
// memset(sBuffer,0,aniMaxLength);
strncpy(sBuffer,sPassPhrase,iLength);
strcat(sBuffer,"\0");
cDebug->Log(MODULE_ID,"Key CB: Returning passphrase password: %s",sPassPhrase);
return iLength;
}
Somewhere else, I've put:
if (!sPassPhrase.empty())
{
const char *sPhrase=sPassPhrase.c_str();
cDebug->Log(MODULE_ID,"Setting passphrase callback, using phrase: %s",sPhrase);
gOptions["PassPhrase"] = sPhrase;
SSL_CTX_set_default_passwd_cb(pSSLCTX,KeyCallback);
}
cDebug->Log(MODULE_ID,"Loading Key file %s",sKey.c_str());
if (SSL_CTX_use_PrivateKey_file(pSSLCTX,sKey.c_str(),SSL_FILETYPE_PEM)<=0)
throw CUserDefinedException(MODULE_ID,"Cannot use Key file %s -> %s",
sKey.c_str(),GetSSLError(ERR_get_error()).c_str());
If there is NO passphrase, the callback is not set, and the toolkit rightfully
asks on the console to type in the passphrase.
However, if there IS a passphrase, loading the keyfile generates a
error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt
Notes:
Beside these 2 points, everything seems to be working as expected. No problems
with SMTP/TLS, and IMAP/SSL combinations whatsoever.
I only miss the right verification and the automated passphrase usage, which
is required by the application.
Before using any of the SSL functions, I've called:
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
And I'm using non-blocking sockets as well.
Any hints, tips, solutions are appreciated!
M. Teunissen van Manen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
