Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
hi,
I exported thawte server CA and verisign class3
certificates from the browser for testing and
converted to C structure using x509 -C -in xxx.cer
xxx.C and added to my SSL client. Following is the
code below.
I am calling this function in a loop to load the
certificates:
unsigned char thawte_cert[791] = {
0x30,0x82...};
unsigned char verisign_cert[576] = {
0x30,0x82...};
SSL_load_cert(ctx,thawte_cert,791);
SSL_load_cert(ctx,verisign_cert,576);
SSL_load_cert(SSL_CTX *ctx,char *c,int size)
{
x = d2i_X509(NULL,c,size);
cert_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(cert_store,x);
return;
}
I verified the same certificates in .pem format using
openssl s_client and its connects to
www.paypal.com..but when i connect from my client it
gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
If i try connecting to www.thwate.com:443 it works but
it gives the same error when i am trying to connect to
other servers with thawte signed certificates.
Can anyone plese let me know what's going on
regards,
raj
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
hi,
I have defined SSL_library_init rather then
openSSL_add_all_algorithms to save memory.
I have turned on DES,RC4 in chipers and MD5,SHA in
message digest.
Could you let me know what could be problem.
I can connect to www.thawte.com and X509_verify
is successful. And also i have generated selfsigned
certificate which are working too.
For Ex: www.google.com:443 i cannot connect,
i get error (7).
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Fri, Jun 06, 2003, rajagopalan ramanujam wrote:
hi,
I exported thawte server CA and verisign class3
certificates from the browser for testing and
converted to C structure using x509 -C -in xxx.cer
xxx.C and added to my SSL client. Following is the
code below.
I am calling this function in a loop to load the
certificates:
unsigned char thawte_cert[791] = {
0x30,0x82...};
unsigned char verisign_cert[576] = {
0x30,0x82...};
SSL_load_cert(ctx,thawte_cert,791);
SSL_load_cert(ctx,verisign_cert,576);
SSL_load_cert(SSL_CTX *ctx,char *c,int size)
{
x = d2i_X509(NULL,c,size);
cert_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(cert_store,x);
return;
}
I verified the same certificates in .pem format
using
openssl s_client and its connects to
www.paypal.com..but when i connect from my client
it
gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
If i try connecting to www.thwate.com:443 it works
but
it gives the same error when i am trying to
connect to
other servers with thawte signed certificates.
Can anyone plese let me know what's going on
Well I could say read the FAQ...
Alternatively since I'm feeling in a good mood I'll
say its probably a missing
OpenSSL_add_all_algorithms(). With appologies in
advance if it isn't :-)
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project:
http://www.openssl.org/
Freelance consultant see:
http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key:
via homepage.
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
I tried to openSSL_add_all_algotithms instead of
SSL_library_init but i am still seeing the same
issue.
--- rajagopalan ramanujam [EMAIL PROTECTED]
wrote:
hi,
I have defined SSL_library_init rather then
openSSL_add_all_algorithms to save memory.
I have turned on DES,RC4 in chipers and MD5,SHA in
message digest.
Could you let me know what could be problem.
I can connect to www.thawte.com and X509_verify
is successful. And also i have generated selfsigned
certificate which are working too.
For Ex: www.google.com:443 i cannot connect,
i get error (7).
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Fri, Jun 06, 2003, rajagopalan ramanujam wrote:
hi,
I exported thawte server CA and verisign class3
certificates from the browser for testing and
converted to C structure using x509 -C -in
xxx.cer
xxx.C and added to my SSL client. Following is
the
code below.
I am calling this function in a loop to load the
certificates:
unsigned char thawte_cert[791] = {
0x30,0x82...};
unsigned char verisign_cert[576] = {
0x30,0x82...};
SSL_load_cert(ctx,thawte_cert,791);
SSL_load_cert(ctx,verisign_cert,576);
SSL_load_cert(SSL_CTX *ctx,char *c,int size)
{
x = d2i_X509(NULL,c,size);
cert_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(cert_store,x);
return;
}
I verified the same certificates in .pem format
using
openssl s_client and its connects to
www.paypal.com..but when i connect from my
client
it
gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
If i try connecting to www.thwate.com:443 it
works
but
it gives the same error when i am trying to
connect to
other servers with thawte signed certificates.
Can anyone plese let me know what's going on
Well I could say read the FAQ...
Alternatively since I'm feeling in a good mood
I'll
say its probably a missing
OpenSSL_add_all_algorithms(). With appologies in
advance if it isn't :-)
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project:
http://www.openssl.org/
Freelance consultant see:
http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP
key:
via homepage.
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to
Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
Hi Dr Steve, Since its an embedded platform it does not have debug or a serial interface. But i did debug further and found that OBJ_obj2nid returning 7 (RSA-md2) incase of www.google.com and it returns 8 (RSA-md5) incase of thawte.com. Basically its failing in EVP_get_digestbyname() UNKNOWN_MESSAGE_DIGEST_ALGORITH. I have disabled MD2 switch. But looking at the certificate below, both the server certificates use RSA-MD5.I dont understand why its returning RSA-md2. Google.com --- Certificate: Data: Version: 3 (0x2) Serial Number: 658869 (0xa0db5) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] Validity Not Before: Mar 23 13:50:41 2003 GMT Not After : Mar 31 18:52:39 2004 GMT Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:88:dc:7e:9a:fa:8b:5d:24:7d:f1:4a:ea:fb: a8:4a:33:9d:9c:ef:22:c9:4d:2f:ac:a0:d3:86:05: 4f:d1:bb:cb:26:a6:f4:93:b4:43:aa:a9:28:b7:71: cf:a4:47:f1:c3:20:41:2d:d4:8a:1c:20:bd:6f:8a: f0:9d:a4:ea:70:65:5d:10:e3:ea:7d:d2:b9:87:f4: 1e:71:60:23:75:60:49:0d:4c:c0:0e:d9:91:d2:3f: 49:74:3f:6c:bf:a1:56:46:1f:99:e6:16:33:02:4e: 06:b6:54:81:58:de:7e:2e:69:1b:f4:76:85:40:46: b3:fe:19:33:26:8c:fb:89:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, Netscape Server Gated Crypto X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 92:7d:7f:ce:8f:f9:37:16:d1:53:ec:74:15:2e:94:a8:8e:81: 93:a4:7a:4f:58:73:d2:4c:09:c2:bb:eb:8e:84:66:7e:42:60: 9e:56:a4:89:18:db:1a:bd:f9:9d:a4:6e:53:fb:93:c2:ca:36: a7:f4:3f:95:ad:af:65:36:8b:86:8a:3c:1c:19:aa:fb:63:35: cb:f4:8e:f4:d2:c1:e4:89:6b:21:06:9a:30:8a:5f:c8:0d:8c: 0b:27:82:09:7c:66:91:7e:9a:60:ca:bf:47:2b:d2:1d:51:4e: 94:ec:42:d1:a6:df:b6:27:70:4a:f4:87:4c:0d:13:aa:d7:5e: e4:da www.thawte.com --- Certificate: Data: Version: 3 (0x2) Serial Number: 639573 (0x9c255) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=C ertification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] awte.com Validity Not Before: Dec 20 15:18:40 2002 GMT Not After : Dec 20 15:18:40 2003 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting (Pty) L td, OU=Customer Service, CN=www.thawte.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a4:f0:14:f3:ce:0a:4b:fb:0f:d3:e7:e6:86:8b: 68:25:23:37:8d:cb:a7:34:76:da:df:5d:a5:f2:92: f1:9c:1a:9a:02:47:e6:53:1f:1c:c2:91:8b:47:1e: 58:67:31:b2:17:0d:ab:d9:82:79:26:16:e7:c0:51: 93:3d:be:27:b3:dd:07:24:ff:cd:f6:cf:92:0c:fc: 77:9e:23:72:0c:56:fd:40:a5:d8:46:55:b8:3d:72: 82:05:73:3f:d7:c3:ac:c9:c6:68:7a:02:bc:b8:63: 71:cb:af:88:82:67:a5:81:fe:6e:01:f4:1c:87:23: 96:13:77:4d:2b:1e:f3:aa:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 8d:ac:7c:54:45:35:82:b3:b0:89:2f:8e:93:0a:04:1c:fb:3c: 21:56:97:9b:c9:c8:58:9e:c3:e8:c7:60:06:ba:9e:17:1e:34: 38:f7:2d:16:22:87:2f:77:3d:53:af:eb:11:29:db:1c:32:24: cf:ff:65:6a:15:3c:4b:31:5e:08:4b:f9:7b:2d:0f:2a:93:1f: 32:a6:0e:b4:37:78:e5:8c:34:48:ce:7d:26:91:c0:81:6a:4b: 84:40:d1:af:3b:55:ae:9d:6a:f0:10:56:38:86:f0:d9:af:8c: e6:20:77:37:1f:65:a9:1d:b1:6a:37:44:0f:66:d6:9c:20:42: 07:f9 --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: hi, I have defined SSL_library_init rather then openSSL_add_all_algorithms to save memory. I have turned on DES,RC4 in chipers and MD5,SHA in message digest. Could you let me know what could be problem. I can connect to www.thawte.com and X509_verify is successful. And also i have generated selfsigned certificate which are working too. For Ex
Re: Hard-coded trusted CA-cert
hi Henson,
Thanx for the suggestion. I tried the following Code :
unsigned char CA_cert[811]={
0x30,0x82,0x03,0x27,0x30,0x82.};
/* load our CA cert into the certificate chain */
c = CA_cert;
x = d2i_X509(NULL,c,(long) sizeof(CA_cert));
if( x == NULL ){
goto end;
}
cert_store=SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(cert_store,x);
if(x != NULL)
X509_free(x);
This code is working fine but i see a memory leak in
this part of the code. I am loosing 2048 bytes on heap
every time i exit out. I tried commenting this code
and everything is ok..
Please can you tell the what Cleanup procedure am i
missing here?
thankyou,
raj
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Wed, Mar 26, 2003, rajagopalan ramanujam wrote:
hi,
I have tested the SSL handshake but failing when
verifying server certificate
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
generated the self signed CA and used the same
CAcert
to verify using openssl verify and also using
openssl
s_client -verify 1 -CAfile and it seems to be
working
perfectly ok.
Since i dont have a file system on embedded
platform i
cannot use SSL_CTX_load_verify_locations().
I have converted the CAcert file from base64
format
to C structure using openssl utility and i am
calling
SSL_CTX_use_certificate(ctx,x). Still i see that
there
is an error some where. I tried calling
SSL_CTX_add_extra_chain_cert, but did not help.
You need to retrieve the trusted certificate store
using SSL_CTX_get_store()
and then add the certificate to it using
X509_STORE_add_cert().
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project:
http://www.openssl.org/
Freelance consultant see:
http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key:
via homepage.
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Hard-coded trusted CA-cert
hi,
I have tested the SSL handshake but failing when
verifying server certificate
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
generated the self signed CA and used the same CAcert
to verify using openssl verify and also using openssl
s_client -verify 1 -CAfile and it seems to be working
perfectly ok.
Since i dont have a file system on embedded platform i
cannot use SSL_CTX_load_verify_locations().
I have converted the CAcert file from base64 format
to C structure using openssl utility and i am calling
SSL_CTX_use_certificate(ctx,x). Still i see that there
is an error some where. I tried calling
SSL_CTX_add_extra_chain_cert, but did not help.
Can anyone let me know what's wrong in my code?
unsigned char CA_cert[811]={
0x30,0x82,0x03,0x27,0x30,0x82,0x02,0x90,0xA0,0x03,0x02,.};
void ssl_client (void)
{
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
SSL_CTX_set_cipher_list(ctx,SSL3_TXT_RSA_RC4_40_MD5);
{
X509 *x=NULL;
unsigned char* c;
/* load our CA cert into the certificate chain */
c = CA_cert;
x = d2i_X509(NULL,c,(long) sizeof(CA_cert));
if( x == NULL ){
goto end;
}
if(!SSL_CTX_add_extra_chain_cert(ctx,x)){
goto end;
}
socket(..);
.
.
SSL_connect()
.
/* verify the server certificate */
err= SSL_get_verify_result(SSL *ssl);
.
}
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: PRNG_NOT_SEEDED, Even after calling RAND_add() in client
hi brian,
Thanks for your response.
Here is how i use RAND_seed in my client :
while (RAND_status() == 0) {
int rnd = rand();
RAND_seed(rnd, sizeof(rnd));
}
Now Serverhello and certificate is accepted but when
the client tries to generate a RSA key, the control
does not seem to be coming out of while (*p == '\0')
in rsa_pk1.c (code below)as buffer is all initilized
to '\0'.I dont see any data in p being filled when
RAND_bytes(p,j) is called.
REL openssl-0.9.7
Can anyone help me please!!
ssl3_send_client_key_exchange(SSL *s)
RSA_public_encrypt(..)
if (RAND_bytes(p,j) = 0)
return(0);
for (i=0; ij; i++)
{
if (*p == '\0')
do {
if (RAND_bytes(p,1) = 0)
return(0);
} while (*p == '\0');
p++;
}
*(p++)='\0';
--- Brian Hatch [EMAIL PROTECTED] wrote:
I get a PRNG_NOT_SEEDED error even after i call
RAND_add() function. I am calling the function at
the
begining before SSL initialization.
...
unsigned long Time=time(NULL);
RAND_add(Time,sizeof(Time),0);
You should call RAND_status which returns true/false
to tell you
if you have enough entropy. Your code is bad for
several reasons:
Assuming an unsigned long is 4 bytes on your
system, you're adding
32 bits of entropy, which is very very low.
(You'd want to give at
least 40 bits to properly use 40 bit crypto, etc.)
Secondly, time(NULL) is not providing 32 full bits
of entropy. In
an entire day time(NULL) will produce only 86400
different values,
which has 17 bits total. The actual entropy of
those bits is still
damned low.
Lastly, RAND_add expects the last arg to be the
expected entropy of
your system. Now here you've done a fairly
accurate assesment in
saying that even though an unsigned long is 32
bits the amount of
entropy being supplied by your unsigned long
(initialized from
time(NULL) ) is low (you said 0 bytes).
Try getting a better source of random data and then
use RAND_add
with a non-zero final value, where that value
accurately defines
how much randomness you expect in the data.
You might want to read the RAND_add man page.
--
Brian Hatch Don't give
Systems andaway the homeworld.
Security Engineer
http://www.ifokr.org/bri/
Every message PGP signed
ATTACHMENT part 2 application/pgp-signature
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
PRNG_NOT_SEEDED, Even after calling RAND_add() in client
hi,
I get a PRNG_NOT_SEEDED error even after i call
RAND_add() function. I am calling the function at the
begining before SSL initialization.
Here is my sample client running on embedded board
(ThreadX os).
void ssl_client (void)
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509*server_cert;
char*str;
SSL_METHOD *meth;
int theArg,r,success,theStatus;
fd_set readfds,writefds;
char c2s[BUFSIZZ],s2c[BUFSIZZ];
unsigned long Time=time(NULL);
RAND_add(Time,sizeof(Time),0);
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
SSL_CTX_set_cipher_list(ctx,ALL);
.
.
.
After the client sucessfully reads the serverhello,
server done message and calls
ssl3_send_client_key_exchange() i get this Error.
Can anyone please help to figure out this issue. I
tried what was mentioned on FAQ..
regards,
raj
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Handshake Failure due to bad record mac
hi, I am using a sample client appli on an embedded platform trying to connect to s_server on the linux. client code has set cipher(ALL); there is no client certificate. client side SSL_connect() return -1; Its very strange, some times client sends Alert message with bad mac code and some times it does not. i have both the logs attached. # openssl s_server -cert server.pem -accept 1 -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_accept:failed in SSLv3 read client certificate A ERROR 1348:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:964:SSL alert number 20 shutting down SSL CONNECTION CLOSED ACCEPT - # openssl s_server -cert server.pem -accept 1 -state -debug -- SSL_accept:before/accept initialization read from 08162C88 [08168230] (11 bytes = 11 (0xB)) - 16 03 00 00 3d 01 00 00-39 03 =...9. 000b - SPACES/NULS read from 08162C88 [0816823B] (55 bytes = 55 (0x37)) - 3e 72 3c 19 00 00 00 00-00 00 00 00 00 00 00 00 r. 0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0020 - 00 00 12 00 64 00 62 00-60 00 0a 00 09 00 08 00 d.b.`... 0030 - 05 00 04 00 03 01 .. 0037 - SPACES/NULS SSL_accept:SSLv3 read client hello A write to 08162C88 [081722C8] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 3e 72 3b 01 05 J...F..r;.. 0010 - 62 55 98 f0 16 6d 64 a9-ab 4f 10 72 6d 78 12 c4 bU...md..O.rmx.. 0020 - 67 a5 aa 1d 8d d1 fc a4-13 c5 f3 20 48 37 ba 9d g.. H7.. 0030 - ea 81 05 1f 3d 43 1f a7-5a 07 c8 b9 ad 4c 4c 6f =C..ZLLo 0040 - 2d 3b d3 8d a4 1e 43 0b-b0 63 19 0c 00 64 -;C..c...d 004f - SPACES/NULS SSL_accept:SSLv3 write server hello A write to 08162C88 [081722C8] (508 bytes = 508 (0x1FC)) - 16 03 00 01 f7 0b 00 01-f3 00 01 f0 00 01 ed 30 ...0 0160 - fe fe b9 ed 02 03 01 00-01 30 0d 06 09 2a 86 48 .0...*.H 0170 - 86 f7 0d 01 01 04 05 00-03 81 81 00 93 d2 0a c5 0180 - 41 e6 5a a9 86 f9 11 87-e4 db 45 e2 c5 95 78 1a A.Z...E...x. 0190 - 6c 80 6d 73 1f b4 6d 44-a3 ba 86 88 c8 58 cd 1c l.ms..mD.X.. 01a0 - 06 35 6c 44 62 88 df e4-f6 64 61 95 ef 4a a6 7f .5lDbda..J.. 01b0 - 65 71 d7 6b 88 39 f6 32-bf ac 93 67 69 51 8c 93 eq.k.9.2...giQ.. 01c0 - ec 48 5f c9 b1 42 f9 55-d2 7e 4e f4 f2 21 6b 90 .H_..B.U.~N..!k. 01d0 - 57 e6 d7 99 9e 41 ca 80-bf 1a 28 a2 ca 5b 50 4a WA(..[PJ 01e0 - ed 84 e7 82 c7 d2 cf 36-9e 6a 67 b9 88 a7 f3 8a ...6.jg. 01f0 - d0 04 f8 e8 c6 17 e3 c5-29 bc 17 f1 )... SSL_accept:SSLv3 write certificate A write to 08162C88 [081722C8] (9 bytes = 9 (0x9)) - 16 03 00 00 04 0e .. 0009 - SPACES/NULS SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data read from 08162C88 [08168230] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client certificate A ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Handshake Failure due to bad record mac
Sorry!! SSL_connect is returning with
SSL_ERROR_SYSCALL(5) not -1 as previously mentioned
and i tried to look at errno it shows 0. Can anyone
please point out where i am wrong?
client()
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
CHK_NULL(ctx);
SSL_CTX_set_cipher_list(ctx,ALL);
socket()..
connect()..
ssl = SSL_new (ctx);
CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_connect (ssl);//
CHK_SSL(err);
if (err == -1)
goto end;
switch((err = SSL_get_error(ssl,r))){
case SSL_ERROR_NONE:
printf(Read from server:);
break;
case SSL_ERROR_ZERO_RETURN:
goto end;
break;
case SSL_ERROR_WANT_READ:
break;
default:
printf(SSL read problem);
goto end;
}
--- rajagopalan ramanujam [EMAIL PROTECTED]
wrote:
hi,
I am using a sample client appli on an embedded
platform trying to connect to s_server on the linux.
client code has set cipher(ALL);
there is no client certificate.
client side SSL_connect() return -1;
Its very strange, some times client sends Alert
message with bad mac code and some times it does
not.
i have both the logs attached.
# openssl s_server -cert server.pem -accept 1
-state
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL3 alert read:fatal:bad record mac
SSL_accept:failed in SSLv3 read client certificate A
ERROR
1348:error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3
alert bad record mac:s3_pkt.c:964:SSL alert number
20
shutting down SSL
CONNECTION CLOSED
ACCEPT
-
# openssl s_server -cert server.pem -accept 1
-state -debug
--
SSL_accept:before/accept initialization
read from 08162C88 [08168230] (11 bytes = 11 (0xB))
- 16 03 00 00 3d 01 00 00-39 03
=...9.
000b - SPACES/NULS
read from 08162C88 [0816823B] (55 bytes = 55
(0x37))
- 3e 72 3c 19 00 00 00 00-00 00 00 00 00 00 00
00
r.
0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
00
0020 - 00 00 12 00 64 00 62 00-60 00 0a 00 09 00 08
00
d.b.`...
0030 - 05 00 04 00 03 01
..
0037 - SPACES/NULS
SSL_accept:SSLv3 read client hello A
write to 08162C88 [081722C8] (79 bytes = 79 (0x4F))
- 16 03 00 00 4a 02 00 00-46 03 00 3e 72 3b 01
05
J...F..r;..
0010 - 62 55 98 f0 16 6d 64 a9-ab 4f 10 72 6d 78 12
c4
bU...md..O.rmx..
0020 - 67 a5 aa 1d 8d d1 fc a4-13 c5 f3 20 48 37 ba
9d
g.. H7..
0030 - ea 81 05 1f 3d 43 1f a7-5a 07 c8 b9 ad 4c 4c
6f
=C..ZLLo
0040 - 2d 3b d3 8d a4 1e 43 0b-b0 63 19 0c 00 64
-;C..c...d
004f - SPACES/NULS
SSL_accept:SSLv3 write server hello A
write to 08162C88 [081722C8] (508 bytes = 508
(0x1FC))
- 16 03 00 01 f7 0b 00 01-f3 00 01 f0 00 01 ed
30
...0
0160 - fe fe b9 ed 02 03 01 00-01 30 0d 06 09 2a 86
48
.0...*.H
0170 - 86 f7 0d 01 01 04 05 00-03 81 81 00 93 d2 0a
c5
0180 - 41 e6 5a a9 86 f9 11 87-e4 db 45 e2 c5 95 78
1a
A.Z...E...x.
0190 - 6c 80 6d 73 1f b4 6d 44-a3 ba 86 88 c8 58 cd
1c
l.ms..mD.X..
01a0 - 06 35 6c 44 62 88 df e4-f6 64 61 95 ef 4a a6
7f
.5lDbda..J..
01b0 - 65 71 d7 6b 88 39 f6 32-bf ac 93 67 69 51 8c
93
eq.k.9.2...giQ..
01c0 - ec 48 5f c9 b1 42 f9 55-d2 7e 4e f4 f2 21 6b
90
.H_..B.U.~N..!k.
01d0 - 57 e6 d7 99 9e 41 ca 80-bf 1a 28 a2 ca 5b 50
4a
WA(..[PJ
01e0 - ed 84 e7 82 c7 d2 cf 36-9e 6a 67 b9 88 a7 f3
8a
...6.jg.
01f0 - d0 04 f8 e8 c6 17 e3 c5-29 bc 17 f1
)...
SSL_accept:SSLv3 write certificate A
write to 08162C88 [081722C8] (9 bytes = 9 (0x9))
- 16 03 00 00 04 0e
..
0009 - SPACES/NULS
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
read from 08162C88 [08168230] (5 bytes = 0 (0x0))
SSL_accept:failed in SSLv3 read client certificate A
ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED
Reading certificate from structure using d2i_X509??
hi,
I am having a problem when reading a certificate and
private key from a memory buffer instead of a file.
i am using d2i_X509(NULL,cert,strlen(cert)) to read
the certificate string which was defined in one of
.pem
file. Should i use SSL_CTX_use_certificate_ASN1
instead??? Please help me.
copied from server.pem file
unsigned char * cert
=MIIDDzCCAs2gAwIBAgICAQw==;
unsigned char * key =
y5qH6Q0Nvb5SUcJEYY...p6==;
here is my sample server code :
void ssl_server ()
{
SSL_CTX* ctx;
SSL* ssl;
X509*client_cert,*x509_cert,*x509_key;
char*str;
SSL_METHOD *meth;
int theFd;
fd_set theFdSet;
/* SSL preliminaries. We keep the certificate and
key with the context. */
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
x509_cert = d2i_X509(NULL,cert,strlen(cert));
if (SSL_CTX_use_certificate(ctx,x509_cert) = 0) {
return;
}
x509_key = d2i_X509(NULL,key,sizeof(key));
if (SSL_CTX_use_PrivateKey(ctx,x509_key) = 0) {
return;
}
if (!SSL_CTX_check_private_key(ctx)) {
printf(Private key does not match the certificate
public key\n);
return;
}
.
.
}
when d2i_X509 its failing for the following reason.
IMPLEMENT_ASN1_FUNCTIONS(X509)
ASN1_VALUE *ASN1_item_d2i(..)
asn1_check_tlen(..)
ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
return 0;
__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
Thanks steve!! Can i use these to function calls to convert? PEM_read_bio_X509 PEM_read_bio_PrivateKey --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; You can only use d2i_X509() with the DER (binary) form of the certificate. Since this can contain embedded zeroes strlen() is not usable, you need a separate length parameter. The -C option of the 'x509' utility can translate a certificate into appropriate C code. For other things like private keys you need to translate them yourself. Something like the Unix utility xxd on the binary form can do that. The stuff you have looks like base64 form with all the newlines deleted. That isn't parseable directly. If you'd included all the newlines then you could use the standard PEM routines with a memory BIO. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_AD_HANDSHAKE_FAILURE??
I am not setting the server certi and key files. But
Set_chiper_list is called with ALL both on the
server and client side. even then handshake fails when
the server extracts the chiper.
al=SSL_AD_HANDSHAKE_FAILURE;
SSLer(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
ssl_server ()
{
:
:
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
:
: socket()..
bind()
listen()
:
accept()
SSL_CTX_set_cipher_list(ctx,ALL);
ssl = SSL_new (ctx);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl);
Is it because i have not added the certi and keys?
please help!!
__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
