Re: [openssl-users] Man page suggestion - SSL_get_verify_result
On 12/02/2019 22:29, Hal Murray wrote: > Is there a better place for things like this? > > Please add X509_verify_cert_error_string to the SEE ALSO section of the man > page for SSL_get_verify_result Please raise an issue on github for this sort of thing. Even better create a pull request. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Man page suggestion - SSL_get_verify_result
Is there a better place for things like this? Please add X509_verify_cert_error_string to the SEE ALSO section of the man page for SSL_get_verify_result Thanks. -- These are my opinions. I hate spam. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_get_verify_result returning 5 on SSL setup?
On Fri, Sep 04, 2015 at 09:24:21AM +0200, Gait Boxman wrote: > I'm occasionally getting code 5 from SSL_get_verify_result when attempting > to setup an SSL/TLS connection to an MS Exchange server using v1.02a. Show the relevant code that returns "5". Most frequently "5" is SSL_ERROR_SYSCALL, returned by SSL_get_error(). As you note, this value is never set as the verification result by OpenSSL itself, so unless you have verify callbacks that change the X509_STORE_CTX error value, perhaps you're reporting the return value of the wrong function. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_get_verify_result returning 5 on SSL setup?
Hi all, I'm occasionally getting code 5 from SSL_get_verify_result when attempting to setup an SSL/TLS connection to an MS Exchange server using v1.02a. I checked the source code, which shows it's X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, but I can't find where that is coming from. The error is listed and documented, but not used in the library anywhere AFAICT. Can anyone tell me where this value might be set in the process, and where it is in the code? Could this be an error send back by the server? Thnx, Gait Boxman. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: print result of SSL_get_verify_result
On Sat, Jan 19, 2013, ask wrote: Is there is a function in ERR_* that can print the text from code? Not in ERR_* no because the error doesn't come from the ERR library. You can instead use X509_verify_cert_error_string(err) Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: print result of SSL_get_verify_result
Thanks, Is there is a function in ERR_* that can print the text from code? A From: Jeffrey Walton noloa...@gmail.com To: as...@yahoo.com Sent: Thursday, January 17, 2013 8:32 PM Subject: Re: print result of SSL_get_verify_result On Thu, Jan 17, 2013 at 9:17 PM, ask as...@yahoo.com wrote: How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? From verify(1) man page (http://www.openssl.org/docs/apps/verify.html): 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT Jeff
print result of SSL_get_verify_result
How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? A
Re: print result of SSL_get_verify_result
On Thu, Jan 17, 2013 at 9:17 PM, ask as...@yahoo.com wrote: How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? http://www.openssl.org/docs/ssl/SSL_get_verify_result.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_get_verify_result() behavior
I ran the same test with OpenSSL v0.9.8o on linux. As soon as verifyCallback is returned 0, connect() fails with the CERT_UNTRUSTED error from SSL_get_verify_result() as expected. Here's the log: OpenSSL 0.9.8o 01 Jun 2010 compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall built on: Wed Feb 23 00:42:27 UTC 2011 platform: debian-i386 OPENSSLDIR: /usr/lib/ssl TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake failed: SSL_ERROR_SSLFAIL Does this mean 0.9.8r has a bug??? If so, then it would be a pretty bad one because clients that use the version would connect to untrusted servers... Any thoughts? - Yutaka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_get_verify_result() behavior
After some more investigation, the problem seems to happen only with OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8. If the test program is linked against *locally* built 0.9.8r, CERT_UNTRUSTED is correctly reported by SSL_get_verify_result(). Log: OpenSSL 0.9.8r 8 Feb 2011 compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DZLIB -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall built on: Wed Nov 16 13:53:59 PST 2011 platform: darwin64-x86_64-cc OPENSSLDIR: /usr/local/ssl TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake failed: SSL_ERROR_SSLFAIL Looking at the compile options, the only difference is the compiler openssl is built with: Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED) Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly) Unfortunately, I cannot build libssl/libcrypto with darwin64-x86_64-llvm and I cannot check if that makes any difference. Does anyone has any thoughts? - Yutaka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_get_verify_result() behavior
Sorry... there was a typo: Incorrect: Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED) Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly) Correct: Default build: darwin64-x86_64-llvm (did not detect CERT_UNTRUSTED)Local build: darwin64-x86_64-cc (detected CERT_UNTRUSTED correctly) Thanks. On Wed, Nov 16, 2011 at 2:53 PM, Yutaka Takeda yt0...@gmail.com wrote: After some more investigation, the problem seems to happen only with OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8. If the test program is linked against *locally* built 0.9.8r, CERT_UNTRUSTED is correctly reported by SSL_get_verify_result(). Log: OpenSSL 0.9.8r 8 Feb 2011 compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DZLIB -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall built on: Wed Nov 16 13:53:59 PST 2011 platform: darwin64-x86_64-cc OPENSSLDIR: /usr/local/ssl TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake failed: SSL_ERROR_SSLFAIL Looking at the compile options, the only difference is the compiler openssl is built with: Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED) Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly) Unfortunately, I cannot build libssl/libcrypto with darwin64-x86_64-llvm and I cannot check if that makes any difference. Does anyone has any thoughts? - Yutaka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_get_verify_result() behavior
During the test of my C code using OpenSSL, I noticed that even though
CA certs were not loaded, SSL verification succeeded unexpectedly.
Attached below is a simplified code that demonstrates what I have been
seeing. I intentionally commented out the section where tries to load
CA certs, but SSL_get_verify_results() returns X509_V_OK where I
expects X509_V_ERR_CERT_UNTRUSTED to return. Looking at my log, the
verifyCallback() detected the error, returning 0 to the caller but the
return value from SSL_get_verify_result() did not seem to reflect the
error detected in the verifyCallback().
Here's some tty logs:
(1) When CA certs are not loaded:
TCP connection successful
verifyCallback() - in: preverify_ok=0
Verify error: unable to get local issuer certificate(20)
- depth=1
- sub =/C=US/O=Google Inc/CN=Google Internet Authority
verifyCallback() - out
SSL handshake/verify successful
PASS
(2) When CA certs are loaded:
TCP connection successful
verifyCallback() - in: preverify_ok=1
verifyCallback() - out
verifyCallback() - in: preverify_ok=1
verifyCallback() - out
verifyCallback() - in: preverify_ok=1
verifyCallback() - out
SSL handshake/verify successful
PASS
(3) When CA certs are NOT loaded, and returning 1 always from verifyCallback()
TCP connection successful
verifyCallback() - in: preverify_ok=0
Verify error: unable to get local issuer certificate(20)
- depth=1
- sub =/C=US/O=Google Inc/CN=Google Internet Authority
verifyCallback() - out
verifyCallback() - in: preverify_ok=0
Verify error: certificate not trusted(27)
- depth=1
- sub =/C=US/O=Google Inc/CN=Google Internet Authority
verifyCallback() - out
verifyCallback() - in: preverify_ok=1
verifyCallback() - out
SSL verify failed: CERT_UNTRUSTED(27)
FAIL
As in (3), if 1 is always returned from verifyCallback(),
SSL_get_verify_result() seems to return the expected error.
So, my question is, in order to correctly detect 'CERT_UNTRUSTED'
error in the code, what needs to be done in the implementation? There
may be something I am doing right. Please let me know if you notice
anything.
Here's info of OpenSSL I am using:
OpenSSL 0.9.8r 8 Feb 2011
compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
-fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA
-DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6
built on: Apr 22 2011
platform: darwin64-x86_64-llvm
OPENSSLDIR: /System/Library/OpenSSL
Any comments are appreciated!!
- Yutaka
/* ssltest.c */
#include sys/socket.h
#include netinet/in.h
#include unistd.h
#include netdb.h
#include stdio.h
#include openssl/ssl.h
#include openssl/x509.h
#include openssl/err.h
#define HOSTencrypted.google.com
#define PORT(443)
#define MAX_VERIFY_DEPTH(2)
#define CA_CERT_PATH./ca-bundle.crt
static char const* ssl_strerror(SSL* ssl, int ret);
static char const* crt_strerror(int err);
int verifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
{
fprintf(stdout, verifyCallback() - in: preverify_ok=%d\n,
preverify_ok);
if(!preverify_ok)
{
char buf[256];
X509 *err_cert;
int err, depth;
SSL *ssl;
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
fprintf(stderr, Verify error: %s(%d)\n,
X509_verify_cert_error_string(err), err);
fprintf(stderr, - depth=%d\n, depth);
fprintf(stderr, - sub =\%s\\n, buf);
}
fprintf(stdout, verifyCallback() - out\n);
//return 1;
return preverify_ok;
}
int connectTcp()
{
struct hostent *h;
struct sockaddr_in sin;
int fd = -1;
int ret;
memset(sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(PORT);
/* Resolve remote IP address */
h = gethostbyname(HOST);
if(!h)
{
fprintf(stderr, Could not obtain IP address\n);
return -1;
}
sin.sin_addr = *(struct in_addr*)(h-h_addr_list[0]);
/* Create fd */
fd = socket(AF_INET, SOCK_STREAM, 0);
if(fd 0)
{
return -1;
}
/* Connect to remote */
ret = connect(fd, (struct sockaddr*)sin, sizeof(sin));
if(ret 0)
{
close(fd);
return -1;
}
return fd; /* connected */
}
int test(void)
{
int ret = 0;
SSL_CTX *ctx = 0;
SSL *ssl = 0;
int fd = -1;
/* Create SSL_CTX */
ctx = SSL_CTX_new(SSLv3_client_method());
if(!ctx)
{
fprintf(stderr, SSL_CTX_new filed);
ret = -1;
goto bail;
}
#if 0 /* Intentionally commented out not to load CA certs. */
/* Load CA certs from file */
if(!SSL_CTX_load_verify_locations(ctx, CA_CERT_PATH, NULL
SSL_get_verify_result Errorcode 20 ( X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY )
Hello All there, i have written an SMTP Proxy using opnessl for the Networkcounication. Now trying to use STATTLS with an SMTP Server, in my case smtp.live.com ( Microsoft Hotmail ) I Set up my my Truststore Directory using SSL_CTX_load_verify_locations. SSL_get_verify_result everytime rsults Errorcode 20 (X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) X509_get_subject_name and X509_get_issuer_name returns folling Zerifikat information: /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Mail/CN=smtp.live.com /CN=Microsoft Secure Server Authority I Exported the Microsoft Secure Server Authority from Mozilla Firefox so I got a MicrosoftSecureServerAuthority.pem file in my trusstore directory. I executed c_rehash on the directory it Created a file b0398940.0 with fileconent: !symlinkÿþM I also tried to Copy the Content of the .pem File to the .0 but Still getting X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as Result on calling SSL_get_verify_result What I'am doing wrong? Is there Something i Has forgotten? Kind Regards Michael Biener -- GMX DSL Doppel-Flat ab 19,99 euro;/mtl.! Jetzt auch mit gratis Notebook-Flat! http://portal.gmx.net/de/go/dsl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)
Hi all,
I try to check a server's certificate on the client like this, using an
operating system whose name contains an o:
GC_SSL_Error retVal = GC_SSL_NO_ERROR;
X509* x509cert = SSL_get_peer_certificate(m_ssl_p);
if (x509cert != NULL)
{
//load cert
if(1 != SSL_CTX_load_verify_locations(m_ctx_p,
C:\\openssl\\certs\\thawteCp.pem, NULL)) retVal = GC_SSL_CERT_LOAD_ERROR;
else {
// check cert
long certVerifyResult = SSL_get_verify_result(m_ssl_p);
// the only successful return code is X509_V_OK = 0
if((certVerifyResult != X509_V_OK) (GC_SSL_NO_ERROR ==
retVal)) retVal = GC_SSL_CERT_VALID_ERROR;
}
X509_free(x509cert);
}
else retVal = GC_SSL_NO_PEER_CERT;
The problem is, that I receive always the retrun value 20
(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY), when calling the
function SSL_CTX_load_verify_locations.
The certificate thawteCp.pem is located in the given path, the
certificate itself has been delivered by the openssl installation.
I really cannot imagine, what the problem is. Maybe anybody could give
me a hint?.
Thank you and bye
Christian
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)
The load verify location has to be done before you make the connection.
Christian Graf wrote:
Hi all,
I try to check a server's certificate on the client like this, using an
operating system whose name contains an o:
GC_SSL_Error retVal = GC_SSL_NO_ERROR;
X509* x509cert = SSL_get_peer_certificate(m_ssl_p);
if (x509cert != NULL)
{
//load cert
if(1 != SSL_CTX_load_verify_locations(m_ctx_p,
C:\\openssl\\certs\\thawteCp.pem, NULL)) retVal =
GC_SSL_CERT_LOAD_ERROR;
else {
// check cert
long certVerifyResult = SSL_get_verify_result(m_ssl_p);
// the only successful return code is X509_V_OK = 0
if((certVerifyResult != X509_V_OK) (GC_SSL_NO_ERROR ==
retVal)) retVal = GC_SSL_CERT_VALID_ERROR;
}
X509_free(x509cert);
}
else retVal = GC_SSL_NO_PEER_CERT;
The problem is, that I receive always the retrun value 20
(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY), when calling the
function SSL_CTX_load_verify_locations.
The certificate thawteCp.pem is located in the given path, the
certificate itself has been delivered by the openssl installation.
I really cannot imagine, what the problem is. Maybe anybody could give
me a hint?.
Thank you and bye
Christian
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
SSL_get_verify_result
I need some help with SSL_get_verify_result errors.
I use WindowsXP, Visual C++, OpenSll 0.9.8d
this is my example program:
#include stdio.h
#include string.h
int main(int argc, char *argv[])
{
BIO * bio;
SSL * ssl;
SSL_CTX * ctx;
int p;
char * request = GET /...;
char r[1024];
SSL_library_init();
/* Set up the library */
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* Set up the SSL context */
ctx = SSL_CTX_new(SSLv23_client_method());
/* Load the trust store */
if(! SSL_CTX_load_verify_locations(ctx, TrustStore.pem,
C:\build\openssl-0.9.8d\certs))
{
fprintf(stderr, Error loading trust store\n);
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
return 0;
}
/* Setup the connection */
bio = BIO_new_ssl_connect(ctx);
/* Set the SSL_MODE_AUTO_RETRY flag */
BIO_get_ssl(bio, ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
/* Create and setup the connection */
BIO_set_conn_hostname(bio, the host I use:https);
if(BIO_do_connect(bio) = 0)
{
fprintf(stderr, Error attempting to connect\n);
ERR_print_errors_fp(stderr);
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
/* Check the certificate */
if(SSL_get_verify_result(ssl) != X509_V_OK)
{
fprintf(stderr, Certificate verification error: %i\n,
SSL_get_verify_result(ssl));
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
/* Send the request */
BIO_write(bio, request, strlen(request));
/* Read in the response */
for(;;)
{
p = BIO_read(bio, r, 1023);
if(p = 0) break;
r[p] = 0;
printf(%s, r);
}
/* Close the connection and free the context */
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
I am trying to connect to two diferent hosts... and i get diferent errors:
from the first: Certificate verification error: 19
the second: Certificate verification error: 20
I am using the same TrustStore.pem for both of them...
but I can connect without a problem to for example: www.verisign.com
I dont have experience on SSL, so please, answer me saying specifics things
to follow.
Maria
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_verify_result(ssl)
On Fri, Mar 29, 2002 at 08:14:19PM +0530, biswaksen wrote:
I have written a client/server code using openssl.
when i am verifying the server certificate on the client side and also the client
certificate on the server side the verification fails.
On the client side ,
SSL_get_verify_result(ssl) returns code 18.
which is :
18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed
certificate
i have the server certificate on the client side and i am using this function in my
client code.
if (SSL_CTX_load_verify_locations(ctx,CERTF,HOME) = 0 ) {
ERR_print_errors_fp(stderr);
exit(3);
}
where CERTF is server certificate and HOME is the certificate path.
i have used verify command to check the server certificate which the server is
sending to the client and the certificate the client is having on its side. this
command gives OK.
then i dont know where is the problem. Please tell me why it fails.
It should work in the way described. Please make sure that you have building
against a recent version of the OpenSSL library, as the option to supply
self signed certificates in the CAfile has only been added recently.
Please also check out, whether the certificate is correctly loaded from
CERTF. HOME is not needed when the certificate in question is already
contained in CERTF. Put only the cert in question into CERTF and set
the CApath argument to NULL for testing.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
SSL_get_verify_result(ssl)
Hi,
I have written a client/server code using openssl.
when i am verifying the server certificate on the
client side and also the client certificate on the server side the
verification fails.
On the client side ,
SSL_get_verify_result(ssl) returns code
18.
which is :
18
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self
signed
certificate
i have the server certificate on the client side
and i am using this function in my client code.
if (SSL_CTX_load_verify_locations(ctx,CERTF,HOME)
= 0 ) { ERR_print_errors_fp(stderr);
exit(3);}
where CERTF is server certificate and HOME is the
certificate path.
i have used verify command to check the
server certificate which the server is sending to the client and the certificate
the client is having on its side. this command gives OK.
then i dont know where is the problem. Please tell
me why it fails.
biswaksen
