Hi , Please see in attach the files that I'm using. I generate the certificates with the following commands:
1. ## Create CA 2. openssl genrsa -out ca.key 4096 3. openssl req -new -x509 -days 365 -key ca.key -out ca.crt 4. openssl x509 -in ca.crt -out ca.pem -outform PEM 5. 1. ## Create the Server Key and CSR 2. openssl genrsa -out server.key 4096 3. openssl req -new -key server.key -out server.csr 4. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt 5. openssl x509 -in server.crt -out server.pem -outform PEM 6. 1. ## Create the Client Key and CSR 2. openssl genrsa -out client.key 4096 3. openssl req -new -key client.key -out client.csr 4. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt 5. openssl x509 -in client.crt -out client.pem -outform PEM I left the default value of each question that openssl ask when it's creating the certificates like Country, City, CN, etc. Like this way: openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Thanks. Kind regards. On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: > Hi, > > On 29/11/17 14:37, wizard2...@gmail.com wrote: > > Hi JJK, > > I test you function and I've got this result: > >> ok = 0 >> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd >> ok = 1 >> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > > > Why I see this 2 time? > When I create the certificates I didn't fill with any special information, > just type enter in every question that is made. Did you think this could > cause this issue? > > > what you should have seen is the certificate stack, starting with the CA, > and then the client cert, e.g. > > Connection accept... > ok = 1 > cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn@ > example.com > ok = 1 > cert DN: /C=US/O=Cookbook 2.4/CN=client1 > > > so I suspect that your ca.crt on the server side is not specified > correctly. > You may also send me your ca.crt, server.{crt,key} and client.{crt,key} > files privately, and I will run the same test using your set of > certificates. > > HTH, > > JJK > > > > > On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janj...@nikhef.nl> > wrote: > >> Hi, >> >> On 28/11/17 11:03, wizard2...@gmail.com wrote: >> >> Hi there. >> >> I guess my problem is really related to verify callback >> on SSL_CTX_set_verify function. >> I just add to my code a dummy callback returning 1 and everything works >> properly. >> >> >>> int verify_callback (int ok, X509_STORE_CTX *ctx); >>> int verify_callback (int ok, X509_STORE_CTX *ctx) >>> { >>> printf("Verification callback OK!\n"); >>> return 1; >>> } >>> ... >>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | >>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback); >>> ... >> >> >> The problem is that error don't tell much information about what's really >> going on or what's really missing. >> Thanks for your help. >> >> Now you've effectively disabled all security :) >> >> Try adding this to the verify_callback >> >> >> static int verify_callback(int ok, X509_STORE_CTX *ctx) >> { >> X509 *cert = NULL; >> char *cert_DN = NULL; >> >> printf("ok = %d\n", ok); >> cert = X509_STORE_CTX_get_current_cert(ctx); >> cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 >> ); >> printf( "cert DN: %s\n", cert_DN); >> >> } >> >> >> that way, you will know whether your server is processing the right >> certificate chain. >> >> HTH, >> >> JJK >> >> > >
ca.crt
Description: application/pkix-cert
ca.key
Description: application/iwork-keynote-sffkey
ca.pem
Description: application/x509-ca-cert
client.crt
Description: application/pkix-cert
client.csr
Description: application/pkcs10
client.key
Description: application/iwork-keynote-sffkey
client.pem
Description: application/x509-ca-cert
server.crt
Description: application/pkix-cert
server.csr
Description: application/pkcs10
server.key
Description: application/iwork-keynote-sffkey
server.pem
Description: application/x509-ca-cert
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users