Thanks Matthew.
However the problem seems to be occurring before the processing of the return
codes you mentioned.
The problem occurs from a bad return value from:
if(SSL_connect(ssl) <= 0)
int_error("Error connecting SSL object");
A Wireshark trace reveals that the client shuts down the handshake connection
with the reason ‘Unknown CA’.
So if the client knows that the cert is self-signed as indicated by the debug
logs, why would it issue the above reason for failure when it doesn’t need to
know the CA?
Carl
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Matthew Donald
Sent: July-01-16 12:09 AM
To: openssl-users@openssl.org
Subject: [Newsletter] Re: [openssl-users] self-signed certificate won't work in
my app but works with s_client
"error 18:self signed certificate" is the expected result if you are validating
a self-signed cert.
In certificate verification, the code needs to check for X509_V_OK,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
X509_V_OK is a normal cert verification and the connection can proceed.
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY indicates that an otherwise valid
cert has been processed, but the issuer is unknown.
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT indicates that a self-signed cert was
read. Any other return value is a fatal error (signature failure etc).
Matthew
On 1 July 2016 at 05:34, Carl Heyendal
> wrote:
I am working with the example apps in the "Networking Security with OpenSSL"
book and up until now have been able to get client/server examples 1,2,3 to
work. But now I'm trying to connect to an in-house tool but I'm getting the
error "error 18:self signed certificate". Despite this error when I run my app
(essentially client3), when I use s_client with the very same credentials...it
works.
I suspect that it has something to do with the ssl/tls api combination that I
use in my 'client3' app.
Here's the command and output for s_client that connects to the in-house tool
which works:
> openssl s_client -connect 192.168.1.99:16001
-CAfile ../_security/SipInspector/certificate.pem -key ../_security/client.pem
Enter pass phrase for ../_security/client.pem:
CONNECTED(0003)
depth=0 C = CA, ST = Ontario, L = Ottawa, O = SIP Inspector Ltd, OU =
Development, CN = 192.168.1.99
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
Ltd/OU=Development/CN=192.168.1.99
i:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
Ltd/OU=Development/CN=192.168.1.99
---
Server certificate
-BEGIN CERTIFICATE-
MIIFxTCCA62gAwIBAgIJALKQ3J5SEyjPMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
BAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExGjAYBgNV
(snip)
pt/q5/gKqRFbjyL0LDNz49vaSUYvbu3mgF2480Or4X+GPwemwdxJaF1pQw4C1WaF
RyfVjDrLNhTvv+zKCbEPyrjXCweNVRVcp8lZ8R0HmXwfgevlCNz/GQo=
-END CERTIFICATE-
subject=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
Ltd/OU=Development/CN=192.168.1.99
issuer=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
Ltd/OU=Development/CN=192.168.1.99
---
No client certificate CA names sent
---
SSL handshake has read 2309 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher: ECDHE-RSA-DES-CBC3-SHA
Session-ID:
5755C781D91CF3177DF624EA3599EE430DAB4790F325FAD9378FEAE7731C4497
Session-ID-ctx:
Master-Key:
D149008E43E29D658D29418C9F770B3D6018B1D7CA2F493027B0AC7C3BA8E53B572B68C371153568B8988A1E5F351839
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1465239425
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Here's the command and output when I run my app that tries to connect to the
same in-house tool which fails:
> ./client3 192.168.1.99
Enter PEM pass phrase:
connecting to 192.168.1.99:16001
-Error with certificate at depth: 0
issuer = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development
/CN=192.168.1.99
subject = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
Ltd/OU=Development/CN=192.168.1.99
err 18:self signed certificate
** client3.c:94 Error connecting SSL object
139788992993088:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1180:
>
Here are the api's I call in the my app that utilize the same credentials used
by the s_client command:
SSL_CTX_new(SSLv23_method());
