Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
hi, I exported thawte server CA and verisign class3 certificates from the browser for testing and converted to C structure using x509 -C -in xxx.cer xxx.C and added to my SSL client. Following is the code below. I am calling this function in a loop to load the certificates: unsigned char thawte_cert[791] = { 0x30,0x82...}; unsigned char verisign_cert[576] = { 0x30,0x82...}; SSL_load_cert(ctx,thawte_cert,791); SSL_load_cert(ctx,verisign_cert,576); SSL_load_cert(SSL_CTX *ctx,char *c,int size) { x = d2i_X509(NULL,c,size); cert_store = SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert(cert_store,x); return; } I verified the same certificates in .pem format using openssl s_client and its connects to www.paypal.com..but when i connect from my client it gives X509_V_ERR_CERT_SIGNATURE_FAILURE. If i try connecting to www.thwate.com:443 it works but it gives the same error when i am trying to connect to other servers with thawte signed certificates. Can anyone plese let me know what's going on regards, raj __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
hi, I have defined SSL_library_init rather then openSSL_add_all_algorithms to save memory. I have turned on DES,RC4 in chipers and MD5,SHA in message digest. Could you let me know what could be problem. I can connect to www.thawte.com and X509_verify is successful. And also i have generated selfsigned certificate which are working too. For Ex: www.google.com:443 i cannot connect, i get error (7). --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: hi, I exported thawte server CA and verisign class3 certificates from the browser for testing and converted to C structure using x509 -C -in xxx.cer xxx.C and added to my SSL client. Following is the code below. I am calling this function in a loop to load the certificates: unsigned char thawte_cert[791] = { 0x30,0x82...}; unsigned char verisign_cert[576] = { 0x30,0x82...}; SSL_load_cert(ctx,thawte_cert,791); SSL_load_cert(ctx,verisign_cert,576); SSL_load_cert(SSL_CTX *ctx,char *c,int size) { x = d2i_X509(NULL,c,size); cert_store = SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert(cert_store,x); return; } I verified the same certificates in .pem format using openssl s_client and its connects to www.paypal.com..but when i connect from my client it gives X509_V_ERR_CERT_SIGNATURE_FAILURE. If i try connecting to www.thwate.com:443 it works but it gives the same error when i am trying to connect to other servers with thawte signed certificates. Can anyone plese let me know what's going on Well I could say read the FAQ... Alternatively since I'm feeling in a good mood I'll say its probably a missing OpenSSL_add_all_algorithms(). With appologies in advance if it isn't :-) Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
I tried to openSSL_add_all_algotithms instead of SSL_library_init but i am still seeing the same issue. --- rajagopalan ramanujam [EMAIL PROTECTED] wrote: hi, I have defined SSL_library_init rather then openSSL_add_all_algorithms to save memory. I have turned on DES,RC4 in chipers and MD5,SHA in message digest. Could you let me know what could be problem. I can connect to www.thawte.com and X509_verify is successful. And also i have generated selfsigned certificate which are working too. For Ex: www.google.com:443 i cannot connect, i get error (7). --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: hi, I exported thawte server CA and verisign class3 certificates from the browser for testing and converted to C structure using x509 -C -in xxx.cer xxx.C and added to my SSL client. Following is the code below. I am calling this function in a loop to load the certificates: unsigned char thawte_cert[791] = { 0x30,0x82...}; unsigned char verisign_cert[576] = { 0x30,0x82...}; SSL_load_cert(ctx,thawte_cert,791); SSL_load_cert(ctx,verisign_cert,576); SSL_load_cert(SSL_CTX *ctx,char *c,int size) { x = d2i_X509(NULL,c,size); cert_store = SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert(cert_store,x); return; } I verified the same certificates in .pem format using openssl s_client and its connects to www.paypal.com..but when i connect from my client it gives X509_V_ERR_CERT_SIGNATURE_FAILURE. If i try connecting to www.thwate.com:443 it works but it gives the same error when i am trying to connect to other servers with thawte signed certificates. Can anyone plese let me know what's going on Well I could say read the FAQ... Alternatively since I'm feeling in a good mood I'll say its probably a missing OpenSSL_add_all_algorithms(). With appologies in advance if it isn't :-) Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
Hi Dr Steve, Since its an embedded platform it does not have debug or a serial interface. But i did debug further and found that OBJ_obj2nid returning 7 (RSA-md2) incase of www.google.com and it returns 8 (RSA-md5) incase of thawte.com. Basically its failing in EVP_get_digestbyname() UNKNOWN_MESSAGE_DIGEST_ALGORITH. I have disabled MD2 switch. But looking at the certificate below, both the server certificates use RSA-MD5.I dont understand why its returning RSA-md2. Google.com --- Certificate: Data: Version: 3 (0x2) Serial Number: 658869 (0xa0db5) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] Validity Not Before: Mar 23 13:50:41 2003 GMT Not After : Mar 31 18:52:39 2004 GMT Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:88:dc:7e:9a:fa:8b:5d:24:7d:f1:4a:ea:fb: a8:4a:33:9d:9c:ef:22:c9:4d:2f:ac:a0:d3:86:05: 4f:d1:bb:cb:26:a6:f4:93:b4:43:aa:a9:28:b7:71: cf:a4:47:f1:c3:20:41:2d:d4:8a:1c:20:bd:6f:8a: f0:9d:a4:ea:70:65:5d:10:e3:ea:7d:d2:b9:87:f4: 1e:71:60:23:75:60:49:0d:4c:c0:0e:d9:91:d2:3f: 49:74:3f:6c:bf:a1:56:46:1f:99:e6:16:33:02:4e: 06:b6:54:81:58:de:7e:2e:69:1b:f4:76:85:40:46: b3:fe:19:33:26:8c:fb:89:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, Netscape Server Gated Crypto X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 92:7d:7f:ce:8f:f9:37:16:d1:53:ec:74:15:2e:94:a8:8e:81: 93:a4:7a:4f:58:73:d2:4c:09:c2:bb:eb:8e:84:66:7e:42:60: 9e:56:a4:89:18:db:1a:bd:f9:9d:a4:6e:53:fb:93:c2:ca:36: a7:f4:3f:95:ad:af:65:36:8b:86:8a:3c:1c:19:aa:fb:63:35: cb:f4:8e:f4:d2:c1:e4:89:6b:21:06:9a:30:8a:5f:c8:0d:8c: 0b:27:82:09:7c:66:91:7e:9a:60:ca:bf:47:2b:d2:1d:51:4e: 94:ec:42:d1:a6:df:b6:27:70:4a:f4:87:4c:0d:13:aa:d7:5e: e4:da www.thawte.com --- Certificate: Data: Version: 3 (0x2) Serial Number: 639573 (0x9c255) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=C ertification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] awte.com Validity Not Before: Dec 20 15:18:40 2002 GMT Not After : Dec 20 15:18:40 2003 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting (Pty) L td, OU=Customer Service, CN=www.thawte.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a4:f0:14:f3:ce:0a:4b:fb:0f:d3:e7:e6:86:8b: 68:25:23:37:8d:cb:a7:34:76:da:df:5d:a5:f2:92: f1:9c:1a:9a:02:47:e6:53:1f:1c:c2:91:8b:47:1e: 58:67:31:b2:17:0d:ab:d9:82:79:26:16:e7:c0:51: 93:3d:be:27:b3:dd:07:24:ff:cd:f6:cf:92:0c:fc: 77:9e:23:72:0c:56:fd:40:a5:d8:46:55:b8:3d:72: 82:05:73:3f:d7:c3:ac:c9:c6:68:7a:02:bc:b8:63: 71:cb:af:88:82:67:a5:81:fe:6e:01:f4:1c:87:23: 96:13:77:4d:2b:1e:f3:aa:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 8d:ac:7c:54:45:35:82:b3:b0:89:2f:8e:93:0a:04:1c:fb:3c: 21:56:97:9b:c9:c8:58:9e:c3:e8:c7:60:06:ba:9e:17:1e:34: 38:f7:2d:16:22:87:2f:77:3d:53:af:eb:11:29:db:1c:32:24: cf:ff:65:6a:15:3c:4b:31:5e:08:4b:f9:7b:2d:0f:2a:93:1f: 32:a6:0e:b4:37:78:e5:8c:34:48:ce:7d:26:91:c0:81:6a:4b: 84:40:d1:af:3b:55:ae:9d:6a:f0:10:56:38:86:f0:d9:af:8c: e6:20:77:37:1f:65:a9:1d:b1:6a:37:44:0f:66:d6:9c:20:42: 07:f9 --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: hi, I have defined SSL_library_init rather then openSSL_add_all_algorithms to save memory. I have turned on DES,RC4 in chipers and MD5,SHA in message digest. Could you let me know what could be problem. I can connect to www.thawte.com and X509_verify is successful. And also i have generated selfsigned certificate which are working too. For Ex
Re: Hard-coded trusted CA-cert
hi Henson, Thanx for the suggestion. I tried the following Code : unsigned char CA_cert[811]={ 0x30,0x82,0x03,0x27,0x30,0x82.}; /* load our CA cert into the certificate chain */ c = CA_cert; x = d2i_X509(NULL,c,(long) sizeof(CA_cert)); if( x == NULL ){ goto end; } cert_store=SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert(cert_store,x); if(x != NULL) X509_free(x); This code is working fine but i see a memory leak in this part of the code. I am loosing 2048 bytes on heap every time i exit out. I tried commenting this code and everything is ok.. Please can you tell the what Cleanup procedure am i missing here? thankyou, raj --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Wed, Mar 26, 2003, rajagopalan ramanujam wrote: hi, I have tested the SSL handshake but failing when verifying server certificate X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I generated the self signed CA and used the same CAcert to verify using openssl verify and also using openssl s_client -verify 1 -CAfile and it seems to be working perfectly ok. Since i dont have a file system on embedded platform i cannot use SSL_CTX_load_verify_locations(). I have converted the CAcert file from base64 format to C structure using openssl utility and i am calling SSL_CTX_use_certificate(ctx,x). Still i see that there is an error some where. I tried calling SSL_CTX_add_extra_chain_cert, but did not help. You need to retrieve the trusted certificate store using SSL_CTX_get_store() and then add the certificate to it using X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Hard-coded trusted CA-cert
hi, I have tested the SSL handshake but failing when verifying server certificate X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I generated the self signed CA and used the same CAcert to verify using openssl verify and also using openssl s_client -verify 1 -CAfile and it seems to be working perfectly ok. Since i dont have a file system on embedded platform i cannot use SSL_CTX_load_verify_locations(). I have converted the CAcert file from base64 format to C structure using openssl utility and i am calling SSL_CTX_use_certificate(ctx,x). Still i see that there is an error some where. I tried calling SSL_CTX_add_extra_chain_cert, but did not help. Can anyone let me know what's wrong in my code? unsigned char CA_cert[811]={ 0x30,0x82,0x03,0x27,0x30,0x82,0x02,0x90,0xA0,0x03,0x02,.}; void ssl_client (void) { SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); SSL_CTX_set_cipher_list(ctx,SSL3_TXT_RSA_RC4_40_MD5); { X509 *x=NULL; unsigned char* c; /* load our CA cert into the certificate chain */ c = CA_cert; x = d2i_X509(NULL,c,(long) sizeof(CA_cert)); if( x == NULL ){ goto end; } if(!SSL_CTX_add_extra_chain_cert(ctx,x)){ goto end; } socket(..); . . SSL_connect() . /* verify the server certificate */ err= SSL_get_verify_result(SSL *ssl); . } __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG_NOT_SEEDED, Even after calling RAND_add() in client
hi brian, Thanks for your response. Here is how i use RAND_seed in my client : while (RAND_status() == 0) { int rnd = rand(); RAND_seed(rnd, sizeof(rnd)); } Now Serverhello and certificate is accepted but when the client tries to generate a RSA key, the control does not seem to be coming out of while (*p == '\0') in rsa_pk1.c (code below)as buffer is all initilized to '\0'.I dont see any data in p being filled when RAND_bytes(p,j) is called. REL openssl-0.9.7 Can anyone help me please!! ssl3_send_client_key_exchange(SSL *s) RSA_public_encrypt(..) if (RAND_bytes(p,j) = 0) return(0); for (i=0; ij; i++) { if (*p == '\0') do { if (RAND_bytes(p,1) = 0) return(0); } while (*p == '\0'); p++; } *(p++)='\0'; --- Brian Hatch [EMAIL PROTECTED] wrote: I get a PRNG_NOT_SEEDED error even after i call RAND_add() function. I am calling the function at the begining before SSL initialization. ... unsigned long Time=time(NULL); RAND_add(Time,sizeof(Time),0); You should call RAND_status which returns true/false to tell you if you have enough entropy. Your code is bad for several reasons: Assuming an unsigned long is 4 bytes on your system, you're adding 32 bits of entropy, which is very very low. (You'd want to give at least 40 bits to properly use 40 bit crypto, etc.) Secondly, time(NULL) is not providing 32 full bits of entropy. In an entire day time(NULL) will produce only 86400 different values, which has 17 bits total. The actual entropy of those bits is still damned low. Lastly, RAND_add expects the last arg to be the expected entropy of your system. Now here you've done a fairly accurate assesment in saying that even though an unsigned long is 32 bits the amount of entropy being supplied by your unsigned long (initialized from time(NULL) ) is low (you said 0 bytes). Try getting a better source of random data and then use RAND_add with a non-zero final value, where that value accurately defines how much randomness you expect in the data. You might want to read the RAND_add man page. -- Brian Hatch Don't give Systems andaway the homeworld. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed ATTACHMENT part 2 application/pgp-signature __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PRNG_NOT_SEEDED, Even after calling RAND_add() in client
hi, I get a PRNG_NOT_SEEDED error even after i call RAND_add() function. I am calling the function at the begining before SSL initialization. Here is my sample client running on embedded board (ThreadX os). void ssl_client (void) { int err; int sd; struct sockaddr_in sa; SSL_CTX* ctx; SSL* ssl; X509*server_cert; char*str; SSL_METHOD *meth; int theArg,r,success,theStatus; fd_set readfds,writefds; char c2s[BUFSIZZ],s2c[BUFSIZZ]; unsigned long Time=time(NULL); RAND_add(Time,sizeof(Time),0); SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); SSL_CTX_set_cipher_list(ctx,ALL); . . . After the client sucessfully reads the serverhello, server done message and calls ssl3_send_client_key_exchange() i get this Error. Can anyone please help to figure out this issue. I tried what was mentioned on FAQ.. regards, raj __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Handshake Failure due to bad record mac
hi, I am using a sample client appli on an embedded platform trying to connect to s_server on the linux. client code has set cipher(ALL); there is no client certificate. client side SSL_connect() return -1; Its very strange, some times client sends Alert message with bad mac code and some times it does not. i have both the logs attached. # openssl s_server -cert server.pem -accept 1 -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_accept:failed in SSLv3 read client certificate A ERROR 1348:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:964:SSL alert number 20 shutting down SSL CONNECTION CLOSED ACCEPT - # openssl s_server -cert server.pem -accept 1 -state -debug -- SSL_accept:before/accept initialization read from 08162C88 [08168230] (11 bytes = 11 (0xB)) - 16 03 00 00 3d 01 00 00-39 03 =...9. 000b - SPACES/NULS read from 08162C88 [0816823B] (55 bytes = 55 (0x37)) - 3e 72 3c 19 00 00 00 00-00 00 00 00 00 00 00 00 r. 0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0020 - 00 00 12 00 64 00 62 00-60 00 0a 00 09 00 08 00 d.b.`... 0030 - 05 00 04 00 03 01 .. 0037 - SPACES/NULS SSL_accept:SSLv3 read client hello A write to 08162C88 [081722C8] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 3e 72 3b 01 05 J...F..r;.. 0010 - 62 55 98 f0 16 6d 64 a9-ab 4f 10 72 6d 78 12 c4 bU...md..O.rmx.. 0020 - 67 a5 aa 1d 8d d1 fc a4-13 c5 f3 20 48 37 ba 9d g.. H7.. 0030 - ea 81 05 1f 3d 43 1f a7-5a 07 c8 b9 ad 4c 4c 6f =C..ZLLo 0040 - 2d 3b d3 8d a4 1e 43 0b-b0 63 19 0c 00 64 -;C..c...d 004f - SPACES/NULS SSL_accept:SSLv3 write server hello A write to 08162C88 [081722C8] (508 bytes = 508 (0x1FC)) - 16 03 00 01 f7 0b 00 01-f3 00 01 f0 00 01 ed 30 ...0 0160 - fe fe b9 ed 02 03 01 00-01 30 0d 06 09 2a 86 48 .0...*.H 0170 - 86 f7 0d 01 01 04 05 00-03 81 81 00 93 d2 0a c5 0180 - 41 e6 5a a9 86 f9 11 87-e4 db 45 e2 c5 95 78 1a A.Z...E...x. 0190 - 6c 80 6d 73 1f b4 6d 44-a3 ba 86 88 c8 58 cd 1c l.ms..mD.X.. 01a0 - 06 35 6c 44 62 88 df e4-f6 64 61 95 ef 4a a6 7f .5lDbda..J.. 01b0 - 65 71 d7 6b 88 39 f6 32-bf ac 93 67 69 51 8c 93 eq.k.9.2...giQ.. 01c0 - ec 48 5f c9 b1 42 f9 55-d2 7e 4e f4 f2 21 6b 90 .H_..B.U.~N..!k. 01d0 - 57 e6 d7 99 9e 41 ca 80-bf 1a 28 a2 ca 5b 50 4a WA(..[PJ 01e0 - ed 84 e7 82 c7 d2 cf 36-9e 6a 67 b9 88 a7 f3 8a ...6.jg. 01f0 - d0 04 f8 e8 c6 17 e3 c5-29 bc 17 f1 )... SSL_accept:SSLv3 write certificate A write to 08162C88 [081722C8] (9 bytes = 9 (0x9)) - 16 03 00 00 04 0e .. 0009 - SPACES/NULS SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data read from 08162C88 [08168230] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client certificate A ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Handshake Failure due to bad record mac
Sorry!! SSL_connect is returning with SSL_ERROR_SYSCALL(5) not -1 as previously mentioned and i tried to look at errno it shows 0. Can anyone please point out where i am wrong? client() SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); CHK_NULL(ctx); SSL_CTX_set_cipher_list(ctx,ALL); socket().. connect().. ssl = SSL_new (ctx); CHK_NULL(ssl); SSL_set_fd (ssl, sd); err = SSL_connect (ssl);// CHK_SSL(err); if (err == -1) goto end; switch((err = SSL_get_error(ssl,r))){ case SSL_ERROR_NONE: printf(Read from server:); break; case SSL_ERROR_ZERO_RETURN: goto end; break; case SSL_ERROR_WANT_READ: break; default: printf(SSL read problem); goto end; } --- rajagopalan ramanujam [EMAIL PROTECTED] wrote: hi, I am using a sample client appli on an embedded platform trying to connect to s_server on the linux. client code has set cipher(ALL); there is no client certificate. client side SSL_connect() return -1; Its very strange, some times client sends Alert message with bad mac code and some times it does not. i have both the logs attached. # openssl s_server -cert server.pem -accept 1 -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_accept:failed in SSLv3 read client certificate A ERROR 1348:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:964:SSL alert number 20 shutting down SSL CONNECTION CLOSED ACCEPT - # openssl s_server -cert server.pem -accept 1 -state -debug -- SSL_accept:before/accept initialization read from 08162C88 [08168230] (11 bytes = 11 (0xB)) - 16 03 00 00 3d 01 00 00-39 03 =...9. 000b - SPACES/NULS read from 08162C88 [0816823B] (55 bytes = 55 (0x37)) - 3e 72 3c 19 00 00 00 00-00 00 00 00 00 00 00 00 r. 0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0020 - 00 00 12 00 64 00 62 00-60 00 0a 00 09 00 08 00 d.b.`... 0030 - 05 00 04 00 03 01 .. 0037 - SPACES/NULS SSL_accept:SSLv3 read client hello A write to 08162C88 [081722C8] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 3e 72 3b 01 05 J...F..r;.. 0010 - 62 55 98 f0 16 6d 64 a9-ab 4f 10 72 6d 78 12 c4 bU...md..O.rmx.. 0020 - 67 a5 aa 1d 8d d1 fc a4-13 c5 f3 20 48 37 ba 9d g.. H7.. 0030 - ea 81 05 1f 3d 43 1f a7-5a 07 c8 b9 ad 4c 4c 6f =C..ZLLo 0040 - 2d 3b d3 8d a4 1e 43 0b-b0 63 19 0c 00 64 -;C..c...d 004f - SPACES/NULS SSL_accept:SSLv3 write server hello A write to 08162C88 [081722C8] (508 bytes = 508 (0x1FC)) - 16 03 00 01 f7 0b 00 01-f3 00 01 f0 00 01 ed 30 ...0 0160 - fe fe b9 ed 02 03 01 00-01 30 0d 06 09 2a 86 48 .0...*.H 0170 - 86 f7 0d 01 01 04 05 00-03 81 81 00 93 d2 0a c5 0180 - 41 e6 5a a9 86 f9 11 87-e4 db 45 e2 c5 95 78 1a A.Z...E...x. 0190 - 6c 80 6d 73 1f b4 6d 44-a3 ba 86 88 c8 58 cd 1c l.ms..mD.X.. 01a0 - 06 35 6c 44 62 88 df e4-f6 64 61 95 ef 4a a6 7f .5lDbda..J.. 01b0 - 65 71 d7 6b 88 39 f6 32-bf ac 93 67 69 51 8c 93 eq.k.9.2...giQ.. 01c0 - ec 48 5f c9 b1 42 f9 55-d2 7e 4e f4 f2 21 6b 90 .H_..B.U.~N..!k. 01d0 - 57 e6 d7 99 9e 41 ca 80-bf 1a 28 a2 ca 5b 50 4a WA(..[PJ 01e0 - ed 84 e7 82 c7 d2 cf 36-9e 6a 67 b9 88 a7 f3 8a ...6.jg. 01f0 - d0 04 f8 e8 c6 17 e3 c5-29 bc 17 f1 )... SSL_accept:SSLv3 write certificate A write to 08162C88 [081722C8] (9 bytes = 9 (0x9)) - 16 03 00 00 04 0e .. 0009 - SPACES/NULS SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data read from 08162C88 [08168230] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client certificate A ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED
Reading certificate from structure using d2i_X509??
hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; here is my sample server code : void ssl_server () { SSL_CTX* ctx; SSL* ssl; X509*client_cert,*x509_cert,*x509_key; char*str; SSL_METHOD *meth; int theFd; fd_set theFdSet; /* SSL preliminaries. We keep the certificate and key with the context. */ SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); x509_cert = d2i_X509(NULL,cert,strlen(cert)); if (SSL_CTX_use_certificate(ctx,x509_cert) = 0) { return; } x509_key = d2i_X509(NULL,key,sizeof(key)); if (SSL_CTX_use_PrivateKey(ctx,x509_key) = 0) { return; } if (!SSL_CTX_check_private_key(ctx)) { printf(Private key does not match the certificate public key\n); return; } . . } when d2i_X509 its failing for the following reason. IMPLEMENT_ASN1_FUNCTIONS(X509) ASN1_VALUE *ASN1_item_d2i(..) asn1_check_tlen(..) ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); return 0; __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
Thanks steve!! Can i use these to function calls to convert? PEM_read_bio_X509 PEM_read_bio_PrivateKey --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; You can only use d2i_X509() with the DER (binary) form of the certificate. Since this can contain embedded zeroes strlen() is not usable, you need a separate length parameter. The -C option of the 'x509' utility can translate a certificate into appropriate C code. For other things like private keys you need to translate them yourself. Something like the Unix utility xxd on the binary form can do that. The stuff you have looks like base64 form with all the newlines deleted. That isn't parseable directly. If you'd included all the newlines then you could use the standard PEM routines with a memory BIO. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_AD_HANDSHAKE_FAILURE??
I am not setting the server certi and key files. But Set_chiper_list is called with ALL both on the server and client side. even then handshake fails when the server extracts the chiper. al=SSL_AD_HANDSHAKE_FAILURE; SSLer(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); ssl_server () { : : SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); : : socket().. bind() listen() : accept() SSL_CTX_set_cipher_list(ctx,ALL); ssl = SSL_new (ctx); SSL_set_fd (ssl, sd); err = SSL_accept (ssl); Is it because i have not added the certi and keys? please help!! __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]