Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath
Wireshark and other packet capture tools can help you determine exactly what's in the chain sent by the client. If the self-signed root isn't being sent, then the "self-signed certificate in certificate chain" error should never have been sent, and a bug report on that issue would be appropriate. If the root is being sent, though, having some idea of what you're doing when constructing your sessions could help us to figure out why it is when you didn't intend it to be. -Kyle H On Sat, Dec 1, 2018 at 1:47 PM Charles Mills wrote: > > > It was found in the chain of certificates sent by the client to the > > server for validation > > Again, I could be wrong but that is my point. I do not think the client is > sending a chain of certificates, but rather only one, the CA-signed client > certificate. (I wrote and configured the client, and generated the > certificate, and loaded it into the certificate store.) > > Charles > > -Original Message- > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Viktor Dukhovni > Sent: Saturday, December 1, 2018 12:47 PM > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Self-signed error when using > SSL_CTX_load_verify_locations CApath > > On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > > > I could easily be wrong -- you guys know more about certificates than I > ever > > will -- but I do not *think* there is any self-signed certificate in this > > scenario. There should be exactly two certificates in this discussion: > > > > 1. The client certificate. It is not self-signed (in the correct sense of > > the term, as opposed to the erroneous popular sense): it is signed by my > > "in-house" CA. > > > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > > find it, right? > > You seem to be stuck on a narrow meaning of the word "found". The > self-signed certificate *was* found, but not in the trust-store. > > It was found in the chain of certificates sent by the client to the > server for validation. That's what the error message is telling > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl 1.1.1 opaque structures
Did you ever get an answer to that? There is a call BN_num_bytes(), so the fix should be this: *var = rc_vmalloc(BN_num_bytes(bn)); (*var)->l = BN_bn2bin(bn, (unsigned char *)(*var)->v); Cheers, Richard ( you should probably study include/openssl/bn.h in depth ) In message on Mon, 26 Nov 2018 11:15:27 +0530, priya p said: > I am trying to fix this part of code: > > int Func1 (var, bn) { > *var = rc_vmalloc(bn->top * BN_BYTES); --> Trying to fix > this. Error it throws is " error: > dereferencing pointer to incomplete type". > > (*var)->l = BN_bn2bin(bn, (unsigned char *)(*var)->v); > . > . > } > > Thanks, > Priya > > On Mon, 26 Nov 2018 at 11:06, Viktor Dukhovni > wrote: > > > On Nov 26, 2018, at 12:14 AM, priya p wrote: > > > > I am unable to get the API to access bn->top value or any bn members in > openssl 1.1.1 . > > Can you help me with the pointers to those APIs ? > > What actual problem are you trying to solve? Accessing bn->top is > a goal in itself. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath
> It was found in the chain of certificates sent by the client to the > server for validation Again, I could be wrong but that is my point. I do not think the client is sending a chain of certificates, but rather only one, the CA-signed client certificate. (I wrote and configured the client, and generated the certificate, and loaded it into the certificate store.) Charles -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Saturday, December 1, 2018 12:47 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > I could easily be wrong -- you guys know more about certificates than I ever > will -- but I do not *think* there is any self-signed certificate in this > scenario. There should be exactly two certificates in this discussion: > > 1. The client certificate. It is not self-signed (in the correct sense of > the term, as opposed to the erroneous popular sense): it is signed by my > "in-house" CA. > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > find it, right? You seem to be stuck on a narrow meaning of the word "found". The self-signed certificate *was* found, but not in the trust-store. It was found in the chain of certificates sent by the client to the server for validation. That's what the error message is telling -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > Are there compatibility concerns around changing error message > > text for which users may have created regex patterns in scripts? > > > > I agree the text could be better, but not sure in what releases > > if any to change the text, since the change may cause issues > > for some users. > > Sure, this is always a concern. Maybe the change could be considered for > OpenSSL 3.0, since that's a major release. Care to create a PR against the "master" branch? Something along the lines of: "Provided chain ends with untrusted self-signed certificate" or better. Here "untrusted" might mean not trusted for the requested purpose, but more precise is not always more clear. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath
On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > I could easily be wrong -- you guys know more about certificates than I ever > will -- but I do not *think* there is any self-signed certificate in this > scenario. There should be exactly two certificates in this discussion: > > 1. The client certificate. It is not self-signed (in the correct sense of > the term, as opposed to the erroneous popular sense): it is signed by my > "in-house" CA. > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > find it, right? You seem to be stuck on a narrow meaning of the word "found". The self-signed certificate *was* found, but not in the trust-store. It was found in the chain of certificates sent by the client to the server for validation. That's what the error message is telling you, the chain building algorithm found a self-signed certificate in the peer's chain, without finding a suitable trust-anchor in the trust-store. So validation cannot proceed further and fails. > (Because of my error in not running the hash utility.) > If you found it what is the problem? ... Everything from here down is based on an incorrect reading of the word "found". > Am I missing something? Yes: "found" != "found in the trust store" Think "encountered" rather than "found" if that's more clear. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath
I could easily be wrong -- you guys know more about certificates than I ever will -- but I do not *think* there is any self-signed certificate in this scenario. There should be exactly two certificates in this discussion: 1. The client certificate. It is not self-signed (in the correct sense of the term, as opposed to the erroneous popular sense): it is signed by my "in-house" CA. 2. The CA certificate. Yes, it is a root and self-signed, but you didn't find it, right? (Because of my error in not running the hash utility.) If you found it what is the problem? Does the hashing process imply trust? Then the error message should be "untrusted CA certificate," no? (There is only one certificate in the CApath folder.) Am I missing something? Charles -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Friday, November 30, 2018 4:37 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath > On Nov 30, 2018, at 7:25 PM, Charles Mills wrote: > > Well, it ought then to say "I couldn't find any certificates at all" rather > than "I found a self-signed certificate" when it did not. A self-signed certificate was found, in the chain being verified. The message should likely be more clear (perhaps along the lines suggested by Michael Wojcik), but it is not incorrect. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Friday, November 30, 2018 18:38 > > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? > > I agree the text could be better, but not sure in what releases > if any to change the text, since the change may cause issues > for some users. Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users