Re: [openssl-users] SSL alert number 48

2017-12-04 Thread wizard2010 
On Mon, Dec 4, 2017 at 10:27 AM, Kyle Hamilton  wrote:

> SSL alert number 48 is specified in the documents that define SSL/TLS.
> It is the code for "unknown_ca", which means that verification failed
> because it didn't get set up with the correct CA to verify against.
> You might wish to look up SSL_CTX_load_verify_locations(3).  There may
> also be other API calls which can load the context with certificates
> to verify against.
>

Ok I understand that, but what could be wrong with the certificates that I
generate with the commands that I told in the previous message?

Kind regards.


>
> You can get a list of the alert numbers from RFC 5246, available from
> (among other places) https://www.ietf.org/rfc/rfc5246.txt (also
> available as a PDF from https://www.ietf.org/rfc/rfc5246.txt.pdf).
>
> -Kyle H
>
> On Mon, Dec 4, 2017 at 12:10 AM,   wrote:
> > Hi ,
> >
> > Please see in attach the files that I'm using.
> > I generate the certificates with the following commands:
> >
> > ## Create CA
> > openssl genrsa -out ca.key 4096
> > openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> > openssl x509 -in ca.crt -out ca.pem -outform PEM
> >
> > ## Create the Server Key and CSR
> > openssl genrsa -out server.key 4096
> > openssl req -new -key server.key -out server.csr
> > openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key
> > -set_serial 01 -out server.crt
> > openssl x509 -in server.crt -out server.pem -outform PEM
> >
> > ## Create the Client Key and CSR
> > openssl genrsa -out client.key 4096
> > openssl req -new -key client.key -out client.csr
> > openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
> > -set_serial 01 -out client.crt
> > openssl x509 -in client.crt -out client.pem -outform PEM
> >
> >
> > I left the default value of each question that openssl ask when it's
> > creating the certificates like Country, City, CN, etc. Like this way:
> >>
> >> openssl req -new -key server.key -out server.csr
> >>
> >> You are about to be asked to enter information that will be incorporated
> >>
> >> into your certificate request.
> >>
> >> What you are about to enter is what is called a Distinguished Name or a
> >> DN.
> >>
> >> There are quite a few fields but you can leave some blank
> >>
> >> For some fields there will be a default value,
> >>
> >> If you enter '.', the field will be left blank.
> >>
> >> -
> >>
> >> Country Name (2 letter code) [AU]:
> >>
> >> State or Province Name (full name) [Some-State]:
> >>
> >> Locality Name (eg, city) []:
> >>
> >> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> >>
> >> Organizational Unit Name (eg, section) []:
> >>
> >> Common Name (e.g. server FQDN or YOUR name) []:
> >>
> >> Email Address []:
> >>
> >> Please enter the following 'extra' attributes
> >>
> >> to be sent with your certificate request
> >>
> >> A challenge password []:
> >>
> >> An optional company name []:
> >
> >
> > Thanks.
> > Kind regards.
> >
> >
> > On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser 
> wrote:
> >>
> >> Hi,
> >>
> >> On 29/11/17 14:37, wizard2...@gmail.com wrote:
> >>
> >> Hi JJK,
> >>
> >> I test you function and I've got this result:
> >>>
> >>> ok = 0
> >>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> >>> ok = 1
> >>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> >>
> >>
> >> Why I see this 2 time?
> >> When I create the certificates I didn't fill with any special
> information,
> >> just type enter in every question that is made. Did you think this could
> >> cause this issue?
> >>
> >>
> >> what you should have seen is the certificate stack, starting with the
> CA,
> >> and then the client cert, e.g.
> >>
> >> Connection accept...
> >> ok = 1
> >> cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4
> >> CA/emailAddress=open...@example.com
> >> ok = 1
> >> cert DN: /C=US/O=Cookbook 2.4/CN=client1
> >>
> >>
> >> so I suspect that your ca.crt on the server side is not specified
> >> correctly.
> >> You may also send me your ca.crt, server.{crt,key} and client.{crt,key}
> >> files privately, and I will run the same test using your set of
> >> certificates.
> >>
> >> HTH,
> >>
> >> JJK
> >>
> >>
> >>
> >>
> >> On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser 
> >> wrote:
> >>>
> >>> Hi,
> >>>
> >>> On 28/11/17 11:03, wizard2...@gmail.com wrote:
> >>>
> >>> Hi there.
> >>>
> >>> I guess my problem is really related to verify callback on
> >>> SSL_CTX_set_verify function.
> >>> I just add to my code a dummy callback returning 1 and everything works
> >>> properly.
> >>>
> 
>  int verify_callback (int ok, X509_STORE_CTX *ctx);
>  int verify_callback (int ok, X509_STORE_CTX *ctx)
>  {
>  printf("Verification callback OK!\n");
>  return 1;
>  }
>  ...
>  SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>  SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>  ...
> >>>

Re: [openssl-users] SSL alert number 48

2017-12-04 Thread wizard2010 
Hi ,

Please see in attach the files that I'm using.
I generate the certificates with the following commands:


   1. ## Create CA
   2. openssl genrsa -out ca.key 4096
   3. openssl req -new -x509 -days 365 -key ca.key -out ca.crt
   4. openssl x509 -in ca.crt -out ca.pem -outform PEM
   5.


   1. ## Create the Server Key and CSR
   2. openssl genrsa -out server.key 4096
   3. openssl req -new -key server.key -out server.csr
   4. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key
   -set_serial 01 -out server.crt
   5. openssl x509 -in server.crt -out server.pem -outform PEM
   6.


   1. ## Create the Client Key and CSR
   2. openssl genrsa -out client.key 4096
   3. openssl req -new -key client.key -out client.csr
   4. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
   -set_serial 01 -out client.crt
   5. openssl x509 -in client.crt -out client.pem -outform PEM


I left the default value of each question that openssl ask when it's
creating the certificates like Country, City, CN, etc. Like this way:

openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


Thanks.
Kind regards.


On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser  wrote:

> Hi,
>
> On 29/11/17 14:37, wizard2...@gmail.com wrote:
>
> Hi JJK,
>
> I test you function and I've got this result:
>
>> ok = 0
>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>> ok = 1
>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>
>
> Why I see this 2 time?
> When I create the certificates I didn't fill with any special information,
> just type enter in every question that is made. Did you think this could
> cause this issue?
>
>
> what you should have seen is the certificate stack, starting with the CA,
> and then the client cert, e.g.
>
> Connection accept...
> ok = 1
> cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn@
> example.com
> ok = 1
> cert DN: /C=US/O=Cookbook 2.4/CN=client1
>
>
> so I suspect that your ca.crt on the server side is not specified
> correctly.
> You may also send me your ca.crt, server.{crt,key} and client.{crt,key}
> files privately, and I will run the same test using your set of
> certificates.
>
> HTH,
>
> JJK
>
>
>
>
> On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser 
> wrote:
>
>> Hi,
>>
>> On 28/11/17 11:03, wizard2...@gmail.com wrote:
>>
>> Hi there.
>>
>> I guess my problem is really related to verify callback
>> on SSL_CTX_set_verify function.
>> I just add to my code a dummy callback returning 1 and everything works
>> properly.
>>
>>
>>> int verify_callback (int ok, X509_STORE_CTX *ctx);
>>> int verify_callback (int ok, X509_STORE_CTX *ctx)
>>> {
>>> printf("Verification callback OK!\n");
>>> return 1;
>>> }
>>> ...
>>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>>> ...
>>
>>
>> The problem is that error don't tell much information about what's really
>> going on or what's really missing.
>> Thanks for your help.
>>
>> Now you've effectively disabled all security :)
>>
>> Try adding this to the verify_callback
>>
>>
>> static int verify_callback(int ok, X509_STORE_CTX *ctx)
>> {
>> X509   *cert = NULL;
>> char   *cert_DN = NULL;
>>
>> printf("ok = %d\n", ok);
>> cert= X509_STORE_CTX_get_current_cert(ctx);
>> cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0
>> );
>> printf( "cert DN: %s\n", cert_DN);
>>
>> }
>>
>>
>> that way, you will know whether your server is processing the right
>> certificate chain.
>>
>> HTH,
>>
>> JJK
>>
>>
>
>


ca.crt
Description: application/pkix-cert


ca.key
Description: application/iwork-keynote-sffkey


ca.pem
Description: application/x509-ca-cert


client.crt
Description: application/pkix-cert


client.csr
Description: application/pkcs10


client.key
Description: application/iwork-keynote-sffkey


client.pem
Description: application/x509-ca-cert


server.crt
Description: application/pkix-cert


server.csr
Description: application/pkcs10


server.key
Description: application/iwork-keynote-sffkey


server.pem
Description: application/x509-ca-cert
-- 
openssl-users mailing list

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread wizard2010 
On Wed, Nov 29, 2017 at 1:54 PM, Viktor Dukhovni  wrote:

> On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:
>
> > Try adding this to the verify_callback
> >
> >
> > static int verify_callback(int ok, X509_STORE_CTX *ctx)
> > {
> > X509   *cert = NULL;
> > char   *cert_DN = NULL;
> >
> > printf("ok = %d\n", ok);
> > cert= X509_STORE_CTX_get_current_cert(ctx);
> > cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0
> );
> > printf( "cert DN: %s\n", cert_DN);
> >
> > }
>
> You've left out the final "return ok;", and there's a new memory
> leak.  Closer would be:
>
>  static int verify_callback(int ok, X509_STORE_CTX *ctx)
>  {
>  X509   *cert = NULL;
>  char   *cert_DN = NULL;
>
>  printf("ok = %d\n", ok);
>  cert= X509_STORE_CTX_get_current_cert(ctx);
>  cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL,
> 0 );
>  printf( "cert DN: %s\n", cert_DN);
>
>  OPENSSL_free(cert_DN);
>  return ok;
>  }
>
>
With that code I've got this:

> ok = 0
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> Handshake Error 1
>

I can't really understand why this is happen since I'm creating the
certificates with the right way (at least I guess I'm doing this in the
right way).

Thanks for your help.
Kind regards.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread wizard2010 
On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni  wrote:

> On Tue, Nov 28, 2017 at 10:03:12AM +, wizard2...@gmail.com wrote:
>
> > I guess my problem is really related to verify callback
> > on SSL_CTX_set_verify function.
> > I just add to my code a dummy callback returning 1 and everything works
> > properly.
> >
> >
> > > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > {
> > > printf("Verification callback OK!\n");
> > > return 1;
> > > }
> > > ...
> > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>
> The above completely disables authentication of the peer certificate,
> and makes your application vulnerable to man-in-the-middle attacks.
> Perhaps that's OK, but often it is not.
>

Why did you say that code disable the authentication?
One thing that I didn't understand is what type of verification is made on
SSL_CTX_set_verify function.
And what is supposed/right thing to do on  verify_callback in order to
perform the client certificate authentication?

Kind regards.


> > The problem is that error don't tell much information about what's really
> > going on or what's really missing.
>
> When the verification callback is failing, the peer's certificate
> chain is either incomplete or is using a trust-anchor (root CA)
> that is not configured as trusted on your end.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread wizard2010 
Hi JJK,

I test you function and I've got this result:

> ok = 0
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> ok = 1
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd


Why I see this 2 time?
When I create the certificates I didn't fill with any special information,
just type enter in every question that is made. Did you think this could
cause this issue?

Kind regards.


On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser  wrote:

> Hi,
>
> On 28/11/17 11:03, wizard2...@gmail.com wrote:
>
> Hi there.
>
> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
>> int verify_callback (int ok, X509_STORE_CTX *ctx);
>> int verify_callback (int ok, X509_STORE_CTX *ctx)
>> {
>> printf("Verification callback OK!\n");
>> return 1;
>> }
>> ...
>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>> ...
>
>
> The problem is that error don't tell much information about what's really
> going on or what's really missing.
> Thanks for your help.
>
> Now you've effectively disabled all security :)
>
> Try adding this to the verify_callback
>
>
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
> X509   *cert = NULL;
> char   *cert_DN = NULL;
>
> printf("ok = %d\n", ok);
> cert= X509_STORE_CTX_get_current_cert(ctx);
> cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
> printf( "cert DN: %s\n", cert_DN);
>
> }
>
>
> that way, you will know whether your server is processing the right
> certificate chain.
>
> HTH,
>
> JJK
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-28 Thread wizard2010 
Hi there.

I guess my problem is really related to verify callback
on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works
properly.


> int verify_callback (int ok, X509_STORE_CTX *ctx);
> int verify_callback (int ok, X509_STORE_CTX *ctx)
> {
> printf("Verification callback OK!\n");
> return 1;
> }
> ...
> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
> ...


The problem is that error don't tell much information about what's really
going on or what's really missing.
Thanks for your help.

Kind regards.


On Tue, Nov 28, 2017 at 9:11 AM, Jan Just Keijser  wrote:

> Hi,
>
> On 27/11/17 17:07, wizard2...@gmail.com wrote:
>
> Hi there.
>
> I'm getting this error on a TLS server that I'm implementing and I
> can't really understand what I'm doing wrong.
>
> 139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
>> unknown ca:s3_pkt.c:1487:SSL alert number 48
>> 139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake
>> failure:s23_lib.c:177:
>
>
> This is the code of my server: https://pastebin.com/Fyuki8v0 and I
> generate the certificates this way: https://pastebin.com/CDRKU2Gc
> And I'm testing the server this way: openssl s_client -host 127.0.0.1
> -port  -cert client.crt -key client.key -CAfile ca.crt
>
> If I run a server this way openssl s_server -key server.key -cert
> server.crt -CAfile ca.crt -accept 
> I'm able to communicate with the same certificates and on my server code I
> always get:
>
>> Handshake Error 1
>> SSL_ERROR_SSL...
>
>
> This is the result of openssl s_client command:
> https://pastebin.com/AWid1mxi
>
> FWIW: I've downloaded and compiled your code, generated certs using your
> script (which generates a client and server cert with the same serial
> number, BTW) and ran the code: I can connect just fine using either openssl
> 1.0.1e or 1.1.0e
>
> My bet is that when you run your code you are not loading the right ca.crt
> file ; another way to debug is , is to add a x509 verify callback which
> prints out each cert as it is passed for verification.
>
> HTH,
>
> JJK
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL alert number 48

2017-11-27 Thread wizard2010 
Hi there.

I'm getting this error on a TLS server that I'm implementing and I
can't really understand what I'm doing wrong.

139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
> unknown ca:s3_pkt.c:1487:SSL alert number 48
> 139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake
> failure:s23_lib.c:177:


This is the code of my server: https://pastebin.com/Fyuki8v0 and I generate
the certificates this way: https://pastebin.com/CDRKU2Gc
And I'm testing the server this way: openssl s_client -host 127.0.0.1 -port
 -cert client.crt -key client.key -CAfile ca.crt

If I run a server this way openssl s_server -key server.key -cert
server.crt -CAfile ca.crt -accept 
I'm able to communicate with the same certificates and on my server code I
always get:

> Handshake Error 1
> SSL_ERROR_SSL...


This is the result of openssl s_client command:
https://pastebin.com/AWid1mxi

Any idea what's happening to get this error?

Kind regards.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

DESCryptoServiceProvider encryption and OpenSSL decrypt

2010-11-09 Thread wizard2010 
Hello everyone.

I'm using .NET to encrypt a file using DES. I'm using this:

DESCryptoServiceProvider, CryptoTransform and CryptoStream

Anyone knows how to use OpenSSL to decrypt the file?

Thanks in advance.
Best Regards.