Re: [openssl-users] SSL alert number 48
On Mon, Dec 4, 2017 at 10:27 AM, Kyle Hamiltonwrote: > SSL alert number 48 is specified in the documents that define SSL/TLS. > It is the code for "unknown_ca", which means that verification failed > because it didn't get set up with the correct CA to verify against. > You might wish to look up SSL_CTX_load_verify_locations(3). There may > also be other API calls which can load the context with certificates > to verify against. > Ok I understand that, but what could be wrong with the certificates that I generate with the commands that I told in the previous message? Kind regards. > > You can get a list of the alert numbers from RFC 5246, available from > (among other places) https://www.ietf.org/rfc/rfc5246.txt (also > available as a PDF from https://www.ietf.org/rfc/rfc5246.txt.pdf). > > -Kyle H > > On Mon, Dec 4, 2017 at 12:10 AM, wrote: > > Hi , > > > > Please see in attach the files that I'm using. > > I generate the certificates with the following commands: > > > > ## Create CA > > openssl genrsa -out ca.key 4096 > > openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > openssl x509 -in ca.crt -out ca.pem -outform PEM > > > > ## Create the Server Key and CSR > > openssl genrsa -out server.key 4096 > > openssl req -new -key server.key -out server.csr > > openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key > > -set_serial 01 -out server.crt > > openssl x509 -in server.crt -out server.pem -outform PEM > > > > ## Create the Client Key and CSR > > openssl genrsa -out client.key 4096 > > openssl req -new -key client.key -out client.csr > > openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key > > -set_serial 01 -out client.crt > > openssl x509 -in client.crt -out client.pem -outform PEM > > > > > > I left the default value of each question that openssl ask when it's > > creating the certificates like Country, City, CN, etc. Like this way: > >> > >> openssl req -new -key server.key -out server.csr > >> > >> You are about to be asked to enter information that will be incorporated > >> > >> into your certificate request. > >> > >> What you are about to enter is what is called a Distinguished Name or a > >> DN. > >> > >> There are quite a few fields but you can leave some blank > >> > >> For some fields there will be a default value, > >> > >> If you enter '.', the field will be left blank. > >> > >> - > >> > >> Country Name (2 letter code) [AU]: > >> > >> State or Province Name (full name) [Some-State]: > >> > >> Locality Name (eg, city) []: > >> > >> Organization Name (eg, company) [Internet Widgits Pty Ltd]: > >> > >> Organizational Unit Name (eg, section) []: > >> > >> Common Name (e.g. server FQDN or YOUR name) []: > >> > >> Email Address []: > >> > >> Please enter the following 'extra' attributes > >> > >> to be sent with your certificate request > >> > >> A challenge password []: > >> > >> An optional company name []: > > > > > > Thanks. > > Kind regards. > > > > > > On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser > wrote: > >> > >> Hi, > >> > >> On 29/11/17 14:37, wizard2...@gmail.com wrote: > >> > >> Hi JJK, > >> > >> I test you function and I've got this result: > >>> > >>> ok = 0 > >>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > >>> ok = 1 > >>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > >> > >> > >> Why I see this 2 time? > >> When I create the certificates I didn't fill with any special > information, > >> just type enter in every question that is made. Did you think this could > >> cause this issue? > >> > >> > >> what you should have seen is the certificate stack, starting with the > CA, > >> and then the client cert, e.g. > >> > >> Connection accept... > >> ok = 1 > >> cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 > >> CA/emailAddress=open...@example.com > >> ok = 1 > >> cert DN: /C=US/O=Cookbook 2.4/CN=client1 > >> > >> > >> so I suspect that your ca.crt on the server side is not specified > >> correctly. > >> You may also send me your ca.crt, server.{crt,key} and client.{crt,key} > >> files privately, and I will run the same test using your set of > >> certificates. > >> > >> HTH, > >> > >> JJK > >> > >> > >> > >> > >> On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser > >> wrote: > >>> > >>> Hi, > >>> > >>> On 28/11/17 11:03, wizard2...@gmail.com wrote: > >>> > >>> Hi there. > >>> > >>> I guess my problem is really related to verify callback on > >>> SSL_CTX_set_verify function. > >>> I just add to my code a dummy callback returning 1 and everything works > >>> properly. > >>> > > int verify_callback (int ok, X509_STORE_CTX *ctx); > int verify_callback (int ok, X509_STORE_CTX *ctx) > { > printf("Verification callback OK!\n"); > return 1; > } > ... > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback); > ... > >>>
Re: [openssl-users] SSL alert number 48
Hi , Please see in attach the files that I'm using. I generate the certificates with the following commands: 1. ## Create CA 2. openssl genrsa -out ca.key 4096 3. openssl req -new -x509 -days 365 -key ca.key -out ca.crt 4. openssl x509 -in ca.crt -out ca.pem -outform PEM 5. 1. ## Create the Server Key and CSR 2. openssl genrsa -out server.key 4096 3. openssl req -new -key server.key -out server.csr 4. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt 5. openssl x509 -in server.crt -out server.pem -outform PEM 6. 1. ## Create the Client Key and CSR 2. openssl genrsa -out client.key 4096 3. openssl req -new -key client.key -out client.csr 4. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt 5. openssl x509 -in client.crt -out client.pem -outform PEM I left the default value of each question that openssl ask when it's creating the certificates like Country, City, CN, etc. Like this way: openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Thanks. Kind regards. On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijserwrote: > Hi, > > On 29/11/17 14:37, wizard2...@gmail.com wrote: > > Hi JJK, > > I test you function and I've got this result: > >> ok = 0 >> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd >> ok = 1 >> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > > > Why I see this 2 time? > When I create the certificates I didn't fill with any special information, > just type enter in every question that is made. Did you think this could > cause this issue? > > > what you should have seen is the certificate stack, starting with the CA, > and then the client cert, e.g. > > Connection accept... > ok = 1 > cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn@ > example.com > ok = 1 > cert DN: /C=US/O=Cookbook 2.4/CN=client1 > > > so I suspect that your ca.crt on the server side is not specified > correctly. > You may also send me your ca.crt, server.{crt,key} and client.{crt,key} > files privately, and I will run the same test using your set of > certificates. > > HTH, > > JJK > > > > > On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser > wrote: > >> Hi, >> >> On 28/11/17 11:03, wizard2...@gmail.com wrote: >> >> Hi there. >> >> I guess my problem is really related to verify callback >> on SSL_CTX_set_verify function. >> I just add to my code a dummy callback returning 1 and everything works >> properly. >> >> >>> int verify_callback (int ok, X509_STORE_CTX *ctx); >>> int verify_callback (int ok, X509_STORE_CTX *ctx) >>> { >>> printf("Verification callback OK!\n"); >>> return 1; >>> } >>> ... >>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | >>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback); >>> ... >> >> >> The problem is that error don't tell much information about what's really >> going on or what's really missing. >> Thanks for your help. >> >> Now you've effectively disabled all security :) >> >> Try adding this to the verify_callback >> >> >> static int verify_callback(int ok, X509_STORE_CTX *ctx) >> { >> X509 *cert = NULL; >> char *cert_DN = NULL; >> >> printf("ok = %d\n", ok); >> cert= X509_STORE_CTX_get_current_cert(ctx); >> cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 >> ); >> printf( "cert DN: %s\n", cert_DN); >> >> } >> >> >> that way, you will know whether your server is processing the right >> certificate chain. >> >> HTH, >> >> JJK >> >> > > ca.crt Description: application/pkix-cert ca.key Description: application/iwork-keynote-sffkey ca.pem Description: application/x509-ca-cert client.crt Description: application/pkix-cert client.csr Description: application/pkcs10 client.key Description: application/iwork-keynote-sffkey client.pem Description: application/x509-ca-cert server.crt Description: application/pkix-cert server.csr Description: application/pkcs10 server.key Description: application/iwork-keynote-sffkey server.pem Description: application/x509-ca-cert -- openssl-users mailing list
Re: [openssl-users] SSL alert number 48
On Wed, Nov 29, 2017 at 1:54 PM, Viktor Dukhovniwrote: > On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote: > > > Try adding this to the verify_callback > > > > > > static int verify_callback(int ok, X509_STORE_CTX *ctx) > > { > > X509 *cert = NULL; > > char *cert_DN = NULL; > > > > printf("ok = %d\n", ok); > > cert= X509_STORE_CTX_get_current_cert(ctx); > > cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 > ); > > printf( "cert DN: %s\n", cert_DN); > > > > } > > You've left out the final "return ok;", and there's a new memory > leak. Closer would be: > > static int verify_callback(int ok, X509_STORE_CTX *ctx) > { > X509 *cert = NULL; > char *cert_DN = NULL; > > printf("ok = %d\n", ok); > cert= X509_STORE_CTX_get_current_cert(ctx); > cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, > 0 ); > printf( "cert DN: %s\n", cert_DN); > > OPENSSL_free(cert_DN); > return ok; > } > > With that code I've got this: > ok = 0 > cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > Handshake Error 1 > I can't really understand why this is happen since I'm creating the certificates with the right way (at least I guess I'm doing this in the right way). Thanks for your help. Kind regards. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL alert number 48
On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovniwrote: > On Tue, Nov 28, 2017 at 10:03:12AM +, wizard2...@gmail.com wrote: > > > I guess my problem is really related to verify callback > > on SSL_CTX_set_verify function. > > I just add to my code a dummy callback returning 1 and everything works > > properly. > > > > > > > int verify_callback (int ok, X509_STORE_CTX *ctx); > > > int verify_callback (int ok, X509_STORE_CTX *ctx) > > > { > > > printf("Verification callback OK!\n"); > > > return 1; > > > } > > > ... > > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | > > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback); > > The above completely disables authentication of the peer certificate, > and makes your application vulnerable to man-in-the-middle attacks. > Perhaps that's OK, but often it is not. > Why did you say that code disable the authentication? One thing that I didn't understand is what type of verification is made on SSL_CTX_set_verify function. And what is supposed/right thing to do on verify_callback in order to perform the client certificate authentication? Kind regards. > > The problem is that error don't tell much information about what's really > > going on or what's really missing. > > When the verification callback is failing, the peer's certificate > chain is either incomplete or is using a trust-anchor (root CA) > that is not configured as trusted on your end. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL alert number 48
Hi JJK, I test you function and I've got this result: > ok = 0 > cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > ok = 1 > cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd Why I see this 2 time? When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue? Kind regards. On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijserwrote: > Hi, > > On 28/11/17 11:03, wizard2...@gmail.com wrote: > > Hi there. > > I guess my problem is really related to verify callback > on SSL_CTX_set_verify function. > I just add to my code a dummy callback returning 1 and everything works > properly. > > >> int verify_callback (int ok, X509_STORE_CTX *ctx); >> int verify_callback (int ok, X509_STORE_CTX *ctx) >> { >> printf("Verification callback OK!\n"); >> return 1; >> } >> ... >> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | >> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback); >> ... > > > The problem is that error don't tell much information about what's really > going on or what's really missing. > Thanks for your help. > > Now you've effectively disabled all security :) > > Try adding this to the verify_callback > > > static int verify_callback(int ok, X509_STORE_CTX *ctx) > { > X509 *cert = NULL; > char *cert_DN = NULL; > > printf("ok = %d\n", ok); > cert= X509_STORE_CTX_get_current_cert(ctx); > cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 ); > printf( "cert DN: %s\n", cert_DN); > > } > > > that way, you will know whether your server is processing the right > certificate chain. > > HTH, > > JJK > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL alert number 48
Hi there. I guess my problem is really related to verify callback on SSL_CTX_set_verify function. I just add to my code a dummy callback returning 1 and everything works properly. > int verify_callback (int ok, X509_STORE_CTX *ctx); > int verify_callback (int ok, X509_STORE_CTX *ctx) > { > printf("Verification callback OK!\n"); > return 1; > } > ... > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback); > ... The problem is that error don't tell much information about what's really going on or what's really missing. Thanks for your help. Kind regards. On Tue, Nov 28, 2017 at 9:11 AM, Jan Just Keijserwrote: > Hi, > > On 27/11/17 17:07, wizard2...@gmail.com wrote: > > Hi there. > > I'm getting this error on a TLS server that I'm implementing and I > can't really understand what I'm doing wrong. > > 139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert >> unknown ca:s3_pkt.c:1487:SSL alert number 48 >> 139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake >> failure:s23_lib.c:177: > > > This is the code of my server: https://pastebin.com/Fyuki8v0 and I > generate the certificates this way: https://pastebin.com/CDRKU2Gc > And I'm testing the server this way: openssl s_client -host 127.0.0.1 > -port -cert client.crt -key client.key -CAfile ca.crt > > If I run a server this way openssl s_server -key server.key -cert > server.crt -CAfile ca.crt -accept > I'm able to communicate with the same certificates and on my server code I > always get: > >> Handshake Error 1 >> SSL_ERROR_SSL... > > > This is the result of openssl s_client command: > https://pastebin.com/AWid1mxi > > FWIW: I've downloaded and compiled your code, generated certs using your > script (which generates a client and server cert with the same serial > number, BTW) and ran the code: I can connect just fine using either openssl > 1.0.1e or 1.1.0e > > My bet is that when you run your code you are not loading the right ca.crt > file ; another way to debug is , is to add a x509 verify callback which > prints out each cert as it is passed for verification. > > HTH, > > JJK > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL alert number 48
Hi there. I'm getting this error on a TLS server that I'm implementing and I can't really understand what I'm doing wrong. 139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert > unknown ca:s3_pkt.c:1487:SSL alert number 48 > 139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake > failure:s23_lib.c:177: This is the code of my server: https://pastebin.com/Fyuki8v0 and I generate the certificates this way: https://pastebin.com/CDRKU2Gc And I'm testing the server this way: openssl s_client -host 127.0.0.1 -port -cert client.crt -key client.key -CAfile ca.crt If I run a server this way openssl s_server -key server.key -cert server.crt -CAfile ca.crt -accept I'm able to communicate with the same certificates and on my server code I always get: > Handshake Error 1 > SSL_ERROR_SSL... This is the result of openssl s_client command: https://pastebin.com/AWid1mxi Any idea what's happening to get this error? Kind regards. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
DESCryptoServiceProvider encryption and OpenSSL decrypt
Hello everyone. I'm using .NET to encrypt a file using DES. I'm using this: DESCryptoServiceProvider, CryptoTransform and CryptoStream Anyone knows how to use OpenSSL to decrypt the file? Thanks in advance. Best Regards.