To whomever may have an answer,
I am writing a SSL/TLS proxy server for my work that is multi-threaded.
I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this
application I need to verify the server certificate otherwise all the
security will be bypassed. However, when I use SSL_get_verify_result() I
almost always get an error code "20 unable to get local issuer certificate."
This is almost always at depth 0, and sometimes depth 1.
I am loading the certificate stores from /etc/ssl/certs which contains
the stores that mozilla, chrome, and the like all verify from, but no matter
what I do I can't get a single certificate to verify.
When I revert to OpenSSL 0.9.8g I can successfully verify several
certificates, but I still get the same error code for about half of the
websites I try, and are known to be valid (e.g. www.gmail.com:443).
This is not just a difference in my program either, in both s_client and
verify from the command line, 0.9.8g will return a X509_V_OK code, and
1.0.0a will return error 20. I am completely at a loss as to why this is.
I am not so much concerned with getting the command line to work as I am
with my program. I can't post my code because of a non disclosure
agreement, but I will post the steps that I am taking that are relevant to
verify.
Before I create any ssl objects I am setting up the context:
if((SSL_CTX_load_verify_locations(_ssl_ctx, NULL, "/etc/ssl/certs/" ))!=
1)
cout << "couldn't load verify locations" << endl;
if((SSL_CTX_set_default_verify_paths(_ssl_ctx))!=1)
cout << "couldn't load defaults" << endl;
//This is set to none because if set to PEER no connections can be made
because of the invalid cert
SSL_CTX_set_verify(_ssl_client_ctx, SSL_VERIFY_NONE, verify_callback);
SSL_CTX_set_verify_depth(_ssl_ctx, 9);
Verify_callback is defined as this:
static int verify_callback(int ok, X509_STORE_CTX* store){
if(!ok){
X509 * cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
cout << "Error at depth: " << depth<< endl;
cout << "Error Text: " << X509_verify_cert_error_string(err) <<
endl;
}
return ok;
}
After this, I read the verification code when I obtain the cert:
X509 *server_cert = SSL_get_peer_certificate(server_ssl);
if(!server_cert){
//couldn't get certificate, exit here
exit(1);
}
long certValid = SSL_get_verify_result(server_ssl);
if(certValid == X509_V_OK)
cout << endl << "Certificate is valid" << endl;
If you need any more information please let me know and I will post what I
can. Thank you in advanced for the help.
Thanks,
Sam
--
Sam Jantz
Software Engineer
