[openssl-users] SSL_get_verify_result returning 5 on SSL setup?
Hi all, I'm occasionally getting code 5 from SSL_get_verify_result when attempting to setup an SSL/TLS connection to an MS Exchange server using v1.02a. I checked the source code, which shows it's X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, but I can't find where that is coming from. The error is listed and documented, but not used in the library anywhere AFAICT. Can anyone tell me where this value might be set in the process, and where it is in the code? Could this be an error send back by the server? Thnx, Gait Boxman. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: how to get the trusted certificate of the website mail.yahoo.com?
Hi, did you try connecting to Yahoo with the ibm.com.pem as your CAFile? Looks like they're not sending the Equifax cert along, whereas IBM is. If I'm not mistaken, the ibm.com.pem is actually the Equifax cert, IBM's cert would be the one starting with MIIC.. --Gait. Hu, Yong Jun SNLB PEK wrote: hello, dear all: 1) I use the command openssl to get the trusted certificate, but there are some errors showing in the output: bash-2.03# /usr/local/ssl/bin/openssl s_client -showcerts -connect login.yahoo.com:443 CONNECTED(0004) depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -BEGIN CERTIFICATE- MIIC7TCCAlagAwIBAgIDBaBMMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMTA0MTcwOTA2WhcNMTEwMTA0MTcwOTA2 WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML U2FudGEgQ2xhcmExFDASBgNVBAoUC1lhaG9vISBJbmMuMQ4wDAYDVQQLEwVZYWhv bzEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC1bE/u7xsEXb5wSthVHYp3DcFFAPU7GhDd1/e7emVUf2DSFru9EqV4 eNazUE66F0gneiJvKnwdojYi2FmirjoL1NIbig5aiankmv/bPwTim3XBjcWMBaHz tZJeoURJGeSQtOnv5F2yIG35I3a4stSvowb1ngOPuIIFIRElRDqABQIDAQABo4Gu MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUoB5uDJtuauvSrlpKGP8Ok0Ya 1jIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB AFAlZRBD4XSDL4+cntx0ZE5xJ04qbkoSe0xBLmFKEQtBprFSyxN2tkXkjdQAmjsC x4IpAaPuffe5AoidPsMc5j3TkPycVtsZnauoA4B9xOLECTOeWFt3N4lZo4aOod+z uwLtIWL7usK66NSPZsGlX635P88imxdXoMooxnYDpMTn -END CERTIFICATE- --- Server certificate subject=/C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 907 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 4C92645DCF76DD39B93FA93134342228789864947A3A14CFB5AB965BA48BE95D Session-ID-ctx: Master-Key: 439AA1963FAD38CE860411AC778ED4AFB5F2437BF033ECDA451A07E44FC53FAFDA86EEAA40DD1FF88DB5FDBF1338F669 Key-Arg : None Start Time: 1161844868 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- read:errno=0 Question:what should i do to get the correct trustedcertificate from yahoo? why are there three error info"unable to get local issuer certificate ", "certificate not trusted", "unable to verify the first certificate"?Do i need to config openssl with another config? 2) I tried using "ibm.com" instead and wewas able to retrieve the certificate and make a connection without errors. This command displays the certificates. bash# openssl s_client -showcerts -connect ibm.com:443 CONNECTED(0004) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=NC/L=Research Triangle Park/O=IBM/OU=HPODS/CN=redirect.www.ibm.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -BEGIN CERTIFICATE- MIIC7TCCAlagAwIBAgIDBawBMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwMjAyMTgyMzEwWhcNMDcwNTA1MTcyMzEw WjB4MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxHzAdBgNVBAcTFlJlc2VhcmNo IFRyaWFuZ2xlIFBhcmsxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFSFBPRFMxHTAb BgNVBAMTFHJlZGlyZWN0Lnd3dy5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCrhMJNDpABGrYPFf+Ib3UB6ibWLtEXh06+jmqmxAKOiUkQDfSIZam+ POxK+L4diycQchs6E37MfEhnnqqOQSguX2kfaN5iuWQyINgj+TRs7kc7FBzmRhKC /mUXkdv2SvP/8z8gwbVWe1kGRBlqZTrHPDSshY8Chb6B/61mvbabPQIDAQABo4Gu MIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUFrbeNkcAqnsXX4eeHqVhmPNA 3aYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Js cy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9Qw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GB AHpAm1OotPlh4Q08gLgGaNxcOn+WGjbtJHAlwurfkd7ncXOipBePIyjDtO2AG+g4 SFkaiw0Dkc9FLxXjFNTehrXTEDmkpfpsrAndR4WefiLFRo3B7HA92H+Wzi9a2jn0 Kl2Zla7QpFM4YPiGZPnTzr5jEOrG9CyxsFl240Y2O5pu -END CERTIFICATE- 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Re: Building openssl on Win2K
I did it, and without any problem worth mentioning. Your troubles might be with two things, though. One might be the perl configure .. that is needed to set up the makefile, there is mention of a specific perl distro req'd, I just ran it with the one I had, and it worked fine (could be the required one, but I really can't remember which one I installed). Second is that you might have forgotten to run vcvars32 before the nmake. BTW, I built it with VC6 under Win2KPro. There is also an IDE for VC6, runs just as fine, and as a bonus, compiles all the openssl tools separately as well. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 8:09 PM Subject: Building openssl on Win2K Okay, I give up.I followed the build instructions in INSTALL.W32 for VC++ only to find an unparseable makefile (ntdll.mak) with carriage returns embedded in the names of two macros (e.g. SSL^MOBJ=$(OBJ_D)\ssl.obj ...).When I fixed that, I discovered that the makefile was attempting to copy files from the $(SRC_D) (".") directory that actually lived in its many subdirectories. Rather than perform the major surgery required to fix that gaff, I decided to fall back, regroup and try plan B, building under Cygwin.That got me as far as the first call to gcc:gcc -I. -I../include -DTHREADS -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall -c -o cryptlib.o cryptlib.ccryptlib.c:105: #error "Inconsistency between crypto.h and cryptlib.c"cryptlib.c checks for#if CRYPTO_NUM_LOCKS != 29# error "Inconsistency between crypto.h and cryptlib.c"#endifOf course, crypto.h says#define CRYPTO_NUM_LOCKS 29but that doesn't seem to impress cryptlib.c.At this point I started to get suspicious...So my question is - is there anyone who has successfully built openssl-0.9.6g on any Win32 platform? If so, can I please hear from you as to how you managed the feat?Thanks, -Nick
Re: SSL_read() hang after read http 100 continue headers
Looks like your code is impatient. When you get continue, 4 retries won't be enough to get the next response. Basically, if you get an SSL_ERROR_WANT_READ, you just need to keep continuing to retry the SSL_read, if you expect more data that is. So, if you expect a server response, keep trying till you get some (you may want to hack in a timeout there), then process the response. If it's a continue, discard it and just start again reading till you get some... - Original Message - From: Lin Ma To: '[EMAIL PROTECTED]' Cc: Lin Ma Sent: Wednesday, October 30, 2002 11:17 PM Subject: SSL_read() hang after read http 100 continue headers Hi,My program is using OpenSSL function SSL_read() to read http content.It works fine for most of the headers, but after it receives HTTP/1.1100 Continue header (the first block of headers), it will hang there. It shouldcontinue to read the headers (which is HTTP/1.1 200 OK...). The following is the headerdumping and the code I used. The http equivalent code works fine.After the first block of headers, it should continually read the 2nd block of headers. Is it because after the first block of header (see the following), the terminators0d 0a 0d 0a confused SSL_read? or the terminators are the same as SSL block terminator? How can I get around it? This is the first block of headers HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0Date:Wed, 30 Oct 2002 06:34:56 GMT Can you help me?Thank you.while (Retries = 4 ){len = strlen(buf); printf("before SSL_read(), buf len=%d\n", len);r=SSL_read(Connect-ssl,buf,100);err = SSL_get_error(Connect-ssl, r);printf("r=%d, err=%d\n", r, err);if (err == SSL_ERROR_NONE) bytes = r;if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err ==SSL_ERROR_ZERO_RETURN){printf(" SSL_ERROR_ZERO_RETURN\n");break;}if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err ==SSL_ERROR_SYSCALL){printf(" SSL_ERROR_SYSCALL\n");break;}if (err != SSL_ERROR_NONE err != SSL_ERROR_WANT_READ err !=SSL_ERROR_SYSCALL err != SSL_ERROR_ZERO_RETURN){printf("Reading header, SSL read problem\n");break;}if (bytes 0 Control-AGW==1) {printf("read returned -1 (Error %d), returning ...\n", errno);break;}else if (bytes == 0) {Retries++;}else if (bytes 0){buf[bytes] = '\0';printf("read %d bytes, buf={%s}\n", bytes, buf);}} 0x | 48 54 54 50 2f 31 2e 31 20 31 30 30 20 43 6f 6e |HTTP/1.1 100 Con0x0010 | 74 69 6e 75 65 0d 0a 53 65 72 76 65 72 3a 20 4d |tinue..Server: M0x0020 | 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 |icrosoft-IIS/5.00x0030 | 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 33 30 20 | ..Date:Wed, 300x0040 | 4f 63 74 20 32 30 30 32 20 30 36 3a 33 34 3a 35 | Oct 2002 06:34:50x0050 | 36 20 47 4d 54 0d 0a 0d 0a | 6 GMT0x | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.0x0010 | 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f |.Server: Microso0x0020 | 66 74 2d 49 49 53 2f 35 2e 30 0d 0a 44 61 74 65 |ft-IIS/5.0..Date0x0030 | 3a 20 57 65 64 2c 20 33 30 20 4f 63 74 20 32 30 | : Wed,30 Oct 200x0040 | 30 32 20 30 36 3a 33 35 3a 30 37 20 47 4d 54 0d | 02 06:35:07 GMT.0x0050 | 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:0x0060 | 20 31 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 54 |1863..Content-T0x0070 | 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a | ype:text/html..0x0080 | 45 78 70 69 72 65 73 3a 20 57 65 64 2c 20 33 30 |Expires: Wed, 300x0090 | 20 4f 63 74 20 32 30 30 32 20 30 36 3a 33 35 3a | Oct 2002 06:35:0x00a0 | 30 37 20 47 4d 54 0d 0a 43 61 63 68 65 2d 63 6f | 07 GMT..Cache-co0x00b0 | 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 0d 0a | ntrol: private..