> From: hamid.sha...@sungard.com [mailto:hamid.sha...@sungard.com] > Sent: Wednesday, 18 January, 2012 10:36
> - Yes, I am calling load certificates before the trying to > make a connection. According to your suggestion, I have tried > to used openssl s_client to see the callback events and got > the following log. But how can I add verify callback in my code? > See below. > - Also, I tried by commenting the code which is loading the > CA file, and in that case "SSL_connect" gives no error and > works fine. Does that mean CA is not needed at all? > Did you keep the set_verify(,SSL_VERIFY_PEER,)? If not, then no verification is done and no trust entries at all are needed. If so, the needed CA cert is apparently in the default truststore used by your OpenSSL. The base distro has nothing in the default truststore, but some packaged builds include various well-known public CAs, and if so and the server you connect to is using one of them then verification succeeds. > ------------------------------------- > Regarding code: > ------------------------------------- > - Actually both those functions are members of a class and > they have return types but that got skipped when I pasted the > code here. > - Type casting to char * was indeed not needed. Fine. > - I am using the class destructor to free the memory. > However, please elaborate your point about error-cleanup. > That might do it. I didn't know that when I was reading before so I'd have to go through again and don't have time right now. And it's your code anyway. :-) > ------------------------------------- > openssl s_client Log: > ------------------------------------- With what arguments, in particular were -CAfile (or -CApath) and -cert and -key same as your code uses? > Loading 'screen' into random state - done > CONNECTED(00000100) > depth=0 /C=DE/ST=Hessen/L=Frankfurt/O=SIX Swiss Exchange > AG/OU=DBAG-a-2011/CN=fixml2.eurexchange.com > verify error:num=20:unable to get local issuer certificate > verify return:1 s_client didn't find the issuer cert in whatever you supplied for -CAfile/-CApath. And due to the error below s_client didn't tell you the needed issuer. If you have or can get a separate copy of the server cert you can look at that, otherwise use -debug on s_client and decode manually or get a wire trace with wireshark or equivalent which can decode the server-Cert message. Or write a callback, see below, that displays the issuer for 20 and not just 2. > depth=0 /C=DE/ST=Hessen/L=Frankfurt/O=SIX Swiss Exchange > AG/OU=DBAG-a-2011/CN=fixml2.eurexchange.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=DE/ST=Hessen/L=Frankfurt/O=SIX Swiss Exchange > AG/OU=DBAG-a-2011/CN=fixml2.eurexchange.com > verify error:num=21:unable to verify the first certificate > verify return:1 s_client continues in spite of the verify failure, unlike your code with set_verify_mode(,SSL_VERIFY_PEER,). > 10720:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert > bad certificate:.\ssl\s3_pkt.c:1102:SSL alert number 42 > 10720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:.\ssl\s23_lib.c:182: > And either you did not give s_client the client key+cert, or the one you gave it is not acceptable to the server. And because the handshake fails, s_client doesn't get to the point of displaying the known part of the cert chain. If you want to write a verify callback, man SSL_set_verify specifies the API, which is simple except that it gives you the cert (in fact the whole cert chain) and X.509 certs are moderately complex. The callback used by s_client (and also s_server) is in apps/s_cb.c and gives some ideas on what you can do. Like displaying the issuer name for verify error 20. Good luck. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
