OK, as requested, I'm going to give a detailed breakdown of what the client and server does with this error
As a note: The certificates are *fine* I have used them successfully
with s_client and s_server tests. They verify perfectly well.
So, the conversation goes as follows. I am abbreviating some of it,
but only the unimportant bits (like the low level socket negotiation,
and the values we pass into the generated keys which arent being
verified).
SERVER:
SERVER: socket() // Create socket
SERVER: fcntl() // Nonblocking fcntl
SERVER: bind() // Bind to port
SERVER: listen() // Listen on port
SERVER: SSL_library_init()
SERVER: SSL_load_error_strings()
SERVER: ssl_meth=SSLv23_server_method()
SERVER: sctx=SSL_CTX_new(ssl_meth)
SERVER: bio = memory_buf_BIO(private_key, -1)
SERVER: if (private_key_password)
SERVER: key=PEM_read_bio_PrivateKey(bio,NULL,
ssl_key_password_callback,
private_key_password)
SERVER: else
SERVER: key=PEM_read_bio_PrivateKey(bio,NULL,NULL,NULL,NULL)
SERVER: BIO_free(bio)
SERVER: bio = memory_buf_BIO(public_key, -1)
SERVER: cert=PEM_read_bio_X509(bio,NULL,NULL,NULL)
SERVER: SSL_CTX_use_PrivateKey(sctx,key)
SERVER: SSL_CTX_use_certificate(sctx,cert)
SERVER: SSL_CTX_check_private_key(sctx) // PASSES
CLIENT: socket()
CLIENT: fcntl() // Nonblocking fcntl
CLIENT: connect() //WAIT for connect to succeed
SERVER: accept()
SERVER: fcntl() // Nonblocking fcntl on new socket
SERVER: sssl=SSL_new(sctx)
SERVER: SSL_set_fd(sssl,newly_accepted_fd)
SERVER: SSL_accept(sssl) //Keep on doing this until WANT_READ
stops
//CLIENT DOES **NOT** run SSL_library_init, as this is a unit test
//run with the server and client in one process, and so it does not
//initialise twice.
CLIENT: ssl_meth=SSLv23_client_method()
CLIENT: cctx = SSL_CTX_new(ssl_meth)
CLIENT: SSL_CTX_load_verify_locations(cctx,
ca_filename,NULL)
CLIENT: SSL_CTX_set_verify(cctx,SSL_VERIFY_PEER,NULL)
CLIENT: SSL_CTX_set_verify_depth(cctx,10);
//THIS SECTION is all just generating a new keypair
CLIENT: rsakey=RSA_generate_key(1024,RSA_F4,NULL,NULL)
CLIENT: ckey = EVP_PKEY_new()
CLIENT: EVP_PKEY_assign_RSA(ckey, rsakey)
CLIENT: required_size = i2d_RSAPublicKey(rsakey,NULL)
CLIENT: len=i2d_RSAPublicKey(rsakey,&correct_sized_buf)
//Move correct_sized_buf back to its start
CLIENT: pubrsa=d2i_RSAPublicKey(NULL,&correct_sized_buf,len)
CLIENT: tmp_pkey = EVP_PKEY_new();
CLIENT: EVP_PKEY_assign_RSA(tmp_pkey, pubrsa);
CLIENT: ccert=X509_new();
CLIENT: X509_set_pubkey(ccert,tmp_pkey);
CLIENT: X509_set_version(ccert,3);
CLIENT: X509_set_serialNumber(ccert, serial);
CLIENT: X509_set_notBefore(ccert,timebound);
CLIENT: X509_set_notAfter(ccert,timebound);
CLIENT: X509_set_subject_name(ccert,subject);
CLIENT: X509_set_issuer_name(ccert,subject);
CLIENT: X509_sign(ccert, ckey, EVP_md5());
//THIS FINISHES the creation
CLIENT: SSL_CTX_use_PrivateKey(cctx,ckey);
CLIENT: SSL_CTX_use_certificate(cctx,ckey)
CLIENT: SSL_CTX_check_private_key(cctx) //PASS
CLIENT: cssl=SSL_new(cctx);
CLIENT: SSL_set_fd(cssl,clients_connected_fd)
CLIENT: SSL_connect(cssl); //Keep on doing this until WANT_READ
stops
**HERE** We get the error on SSL_connect after a few WANT_READS
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
So, thats the routine used. The exact reverse, where the client uses
the same keys and the server has the same ca, works just fine.
Keys are attached, password is abcd
Thanks
--
Michael Simms
servercert.pem
Description: Binary data
serverkey.pem
Description: Binary data
rootcert.pem
Description: Binary data
