Re: [openssl-users] Man page suggestion - SSL_get_verify_result
On 12/02/2019 22:29, Hal Murray wrote: > Is there a better place for things like this? > > Please add X509_verify_cert_error_string to the SEE ALSO section of the man > page for SSL_get_verify_result Please raise an issue on github for this sort of thing. Even better create a pull request. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Man page suggestion - SSL_get_verify_result
Is there a better place for things like this? Please add X509_verify_cert_error_string to the SEE ALSO section of the man page for SSL_get_verify_result Thanks. -- These are my opinions. I hate spam. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_get_verify_result returning 5 on SSL setup?
On Fri, Sep 04, 2015 at 09:24:21AM +0200, Gait Boxman wrote: > I'm occasionally getting code 5 from SSL_get_verify_result when attempting > to setup an SSL/TLS connection to an MS Exchange server using v1.02a. Show the relevant code that returns "5". Most frequently "5" is SSL_ERROR_SYSCALL, returned by SSL_get_error(). As you note, this value is never set as the verification result by OpenSSL itself, so unless you have verify callbacks that change the X509_STORE_CTX error value, perhaps you're reporting the return value of the wrong function. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_get_verify_result returning 5 on SSL setup?
Hi all, I'm occasionally getting code 5 from SSL_get_verify_result when attempting to setup an SSL/TLS connection to an MS Exchange server using v1.02a. I checked the source code, which shows it's X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, but I can't find where that is coming from. The error is listed and documented, but not used in the library anywhere AFAICT. Can anyone tell me where this value might be set in the process, and where it is in the code? Could this be an error send back by the server? Thnx, Gait Boxman. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: print result of SSL_get_verify_result
On Sat, Jan 19, 2013, ask wrote: Is there is a function in ERR_* that can print the text from code? Not in ERR_* no because the error doesn't come from the ERR library. You can instead use X509_verify_cert_error_string(err) Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: print result of SSL_get_verify_result
Thanks, Is there is a function in ERR_* that can print the text from code? A From: Jeffrey Walton noloa...@gmail.com To: as...@yahoo.com Sent: Thursday, January 17, 2013 8:32 PM Subject: Re: print result of SSL_get_verify_result On Thu, Jan 17, 2013 at 9:17 PM, ask as...@yahoo.com wrote: How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? From verify(1) man page (http://www.openssl.org/docs/apps/verify.html): 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT Jeff
print result of SSL_get_verify_result
How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? A
Re: print result of SSL_get_verify_result
On Thu, Jan 17, 2013 at 9:17 PM, ask as...@yahoo.com wrote: How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? http://www.openssl.org/docs/ssl/SSL_get_verify_result.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_get_verify_result() behavior
I ran the same test with OpenSSL v0.9.8o on linux. As soon as verifyCallback is returned 0, connect() fails with the CERT_UNTRUSTED error from SSL_get_verify_result() as expected. Here's the log: OpenSSL 0.9.8o 01 Jun 2010 compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall built on: Wed Feb 23 00:42:27 UTC 2011 platform: debian-i386 OPENSSLDIR: /usr/lib/ssl TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake failed: SSL_ERROR_SSLFAIL Does this mean 0.9.8r has a bug??? If so, then it would be a pretty bad one because clients that use the version would connect to untrusted servers... Any thoughts? - Yutaka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_get_verify_result() behavior
After some more investigation, the problem seems to happen only with OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8. If the test program is linked against *locally* built 0.9.8r, CERT_UNTRUSTED is correctly reported by SSL_get_verify_result(). Log: OpenSSL 0.9.8r 8 Feb 2011 compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DZLIB -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall built on: Wed Nov 16 13:53:59 PST 2011 platform: darwin64-x86_64-cc OPENSSLDIR: /usr/local/ssl TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake failed: SSL_ERROR_SSLFAIL Looking at the compile options, the only difference is the compiler openssl is built with: Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED) Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly) Unfortunately, I cannot build libssl/libcrypto with darwin64-x86_64-llvm and I cannot check if that makes any difference. Does anyone has any thoughts? - Yutaka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_get_verify_result() behavior
Sorry... there was a typo: Incorrect: Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED) Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly) Correct: Default build: darwin64-x86_64-llvm (did not detect CERT_UNTRUSTED)Local build: darwin64-x86_64-cc (detected CERT_UNTRUSTED correctly) Thanks. On Wed, Nov 16, 2011 at 2:53 PM, Yutaka Takeda yt0...@gmail.com wrote: After some more investigation, the problem seems to happen only with OpenSSL (v0.9.8r) preinstalled with Mac OS X 10.6.8. If the test program is linked against *locally* built 0.9.8r, CERT_UNTRUSTED is correctly reported by SSL_get_verify_result(). Log: OpenSSL 0.9.8r 8 Feb 2011 compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DZLIB -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall built on: Wed Nov 16 13:53:59 PST 2011 platform: darwin64-x86_64-cc OPENSSLDIR: /usr/local/ssl TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake failed: SSL_ERROR_SSLFAIL Looking at the compile options, the only difference is the compiler openssl is built with: Default build: darwin64-x86_64-cc (did not detect CERT_UNTRUSTED) Local build: darwin64-x86_64-llvm (detected CERT_UNTRUSTED correctly) Unfortunately, I cannot build libssl/libcrypto with darwin64-x86_64-llvm and I cannot check if that makes any difference. Does anyone has any thoughts? - Yutaka __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_get_verify_result() behavior
During the test of my C code using OpenSSL, I noticed that even though CA certs were not loaded, SSL verification succeeded unexpectedly. Attached below is a simplified code that demonstrates what I have been seeing. I intentionally commented out the section where tries to load CA certs, but SSL_get_verify_results() returns X509_V_OK where I expects X509_V_ERR_CERT_UNTRUSTED to return. Looking at my log, the verifyCallback() detected the error, returning 0 to the caller but the return value from SSL_get_verify_result() did not seem to reflect the error detected in the verifyCallback(). Here's some tty logs: (1) When CA certs are not loaded: TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out SSL handshake/verify successful PASS (2) When CA certs are loaded: TCP connection successful verifyCallback() - in: preverify_ok=1 verifyCallback() - out verifyCallback() - in: preverify_ok=1 verifyCallback() - out verifyCallback() - in: preverify_ok=1 verifyCallback() - out SSL handshake/verify successful PASS (3) When CA certs are NOT loaded, and returning 1 always from verifyCallback() TCP connection successful verifyCallback() - in: preverify_ok=0 Verify error: unable to get local issuer certificate(20) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out verifyCallback() - in: preverify_ok=0 Verify error: certificate not trusted(27) - depth=1 - sub =/C=US/O=Google Inc/CN=Google Internet Authority verifyCallback() - out verifyCallback() - in: preverify_ok=1 verifyCallback() - out SSL verify failed: CERT_UNTRUSTED(27) FAIL As in (3), if 1 is always returned from verifyCallback(), SSL_get_verify_result() seems to return the expected error. So, my question is, in order to correctly detect 'CERT_UNTRUSTED' error in the code, what needs to be done in the implementation? There may be something I am doing right. Please let me know if you notice anything. Here's info of OpenSSL I am using: OpenSSL 0.9.8r 8 Feb 2011 compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6 built on: Apr 22 2011 platform: darwin64-x86_64-llvm OPENSSLDIR: /System/Library/OpenSSL Any comments are appreciated!! - Yutaka /* ssltest.c */ #include sys/socket.h #include netinet/in.h #include unistd.h #include netdb.h #include stdio.h #include openssl/ssl.h #include openssl/x509.h #include openssl/err.h #define HOSTencrypted.google.com #define PORT(443) #define MAX_VERIFY_DEPTH(2) #define CA_CERT_PATH./ca-bundle.crt static char const* ssl_strerror(SSL* ssl, int ret); static char const* crt_strerror(int err); int verifyCallback(int preverify_ok, X509_STORE_CTX *ctx) { fprintf(stdout, verifyCallback() - in: preverify_ok=%d\n, preverify_ok); if(!preverify_ok) { char buf[256]; X509 *err_cert; int err, depth; SSL *ssl; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); fprintf(stderr, Verify error: %s(%d)\n, X509_verify_cert_error_string(err), err); fprintf(stderr, - depth=%d\n, depth); fprintf(stderr, - sub =\%s\\n, buf); } fprintf(stdout, verifyCallback() - out\n); //return 1; return preverify_ok; } int connectTcp() { struct hostent *h; struct sockaddr_in sin; int fd = -1; int ret; memset(sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(PORT); /* Resolve remote IP address */ h = gethostbyname(HOST); if(!h) { fprintf(stderr, Could not obtain IP address\n); return -1; } sin.sin_addr = *(struct in_addr*)(h-h_addr_list[0]); /* Create fd */ fd = socket(AF_INET, SOCK_STREAM, 0); if(fd 0) { return -1; } /* Connect to remote */ ret = connect(fd, (struct sockaddr*)sin, sizeof(sin)); if(ret 0) { close(fd); return -1; } return fd; /* connected */ } int test(void) { int ret = 0; SSL_CTX *ctx = 0; SSL *ssl = 0; int fd = -1; /* Create SSL_CTX */ ctx = SSL_CTX_new(SSLv3_client_method()); if(!ctx) { fprintf(stderr, SSL_CTX_new filed); ret = -1; goto bail; } #if 0 /* Intentionally commented out not to load CA certs. */ /* Load CA certs from file */ if(!SSL_CTX_load_verify_locations(ctx, CA_CERT_PATH, NULL
SSL_get_verify_result Errorcode 20 ( X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY )
Hello All there, i have written an SMTP Proxy using opnessl for the Networkcounication. Now trying to use STATTLS with an SMTP Server, in my case smtp.live.com ( Microsoft Hotmail ) I Set up my my Truststore Directory using SSL_CTX_load_verify_locations. SSL_get_verify_result everytime rsults Errorcode 20 (X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) X509_get_subject_name and X509_get_issuer_name returns folling Zerifikat information: /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Mail/CN=smtp.live.com /CN=Microsoft Secure Server Authority I Exported the Microsoft Secure Server Authority from Mozilla Firefox so I got a MicrosoftSecureServerAuthority.pem file in my trusstore directory. I executed c_rehash on the directory it Created a file b0398940.0 with fileconent: !symlinkÿþM I also tried to Copy the Content of the .pem File to the .0 but Still getting X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as Result on calling SSL_get_verify_result What I'am doing wrong? Is there Something i Has forgotten? Kind Regards Michael Biener -- GMX DSL Doppel-Flat ab 19,99 euro;/mtl.! Jetzt auch mit gratis Notebook-Flat! http://portal.gmx.net/de/go/dsl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)
Hi all, I try to check a server's certificate on the client like this, using an operating system whose name contains an o: GC_SSL_Error retVal = GC_SSL_NO_ERROR; X509* x509cert = SSL_get_peer_certificate(m_ssl_p); if (x509cert != NULL) { //load cert if(1 != SSL_CTX_load_verify_locations(m_ctx_p, C:\\openssl\\certs\\thawteCp.pem, NULL)) retVal = GC_SSL_CERT_LOAD_ERROR; else { // check cert long certVerifyResult = SSL_get_verify_result(m_ssl_p); // the only successful return code is X509_V_OK = 0 if((certVerifyResult != X509_V_OK) (GC_SSL_NO_ERROR == retVal)) retVal = GC_SSL_CERT_VALID_ERROR; } X509_free(x509cert); } else retVal = GC_SSL_NO_PEER_CERT; The problem is, that I receive always the retrun value 20 (X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY), when calling the function SSL_CTX_load_verify_locations. The certificate thawteCp.pem is located in the given path, the certificate itself has been delivered by the openssl installation. I really cannot imagine, what the problem is. Maybe anybody could give me a hint?. Thank you and bye Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)
The load verify location has to be done before you make the connection. Christian Graf wrote: Hi all, I try to check a server's certificate on the client like this, using an operating system whose name contains an o: GC_SSL_Error retVal = GC_SSL_NO_ERROR; X509* x509cert = SSL_get_peer_certificate(m_ssl_p); if (x509cert != NULL) { //load cert if(1 != SSL_CTX_load_verify_locations(m_ctx_p, C:\\openssl\\certs\\thawteCp.pem, NULL)) retVal = GC_SSL_CERT_LOAD_ERROR; else { // check cert long certVerifyResult = SSL_get_verify_result(m_ssl_p); // the only successful return code is X509_V_OK = 0 if((certVerifyResult != X509_V_OK) (GC_SSL_NO_ERROR == retVal)) retVal = GC_SSL_CERT_VALID_ERROR; } X509_free(x509cert); } else retVal = GC_SSL_NO_PEER_CERT; The problem is, that I receive always the retrun value 20 (X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY), when calling the function SSL_CTX_load_verify_locations. The certificate thawteCp.pem is located in the given path, the certificate itself has been delivered by the openssl installation. I really cannot imagine, what the problem is. Maybe anybody could give me a hint?. Thank you and bye Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
SSL_get_verify_result
I need some help with SSL_get_verify_result errors. I use WindowsXP, Visual C++, OpenSll 0.9.8d this is my example program: #include stdio.h #include string.h int main(int argc, char *argv[]) { BIO * bio; SSL * ssl; SSL_CTX * ctx; int p; char * request = GET /...; char r[1024]; SSL_library_init(); /* Set up the library */ ERR_load_BIO_strings(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); /* Set up the SSL context */ ctx = SSL_CTX_new(SSLv23_client_method()); /* Load the trust store */ if(! SSL_CTX_load_verify_locations(ctx, TrustStore.pem, C:\build\openssl-0.9.8d\certs)) { fprintf(stderr, Error loading trust store\n); ERR_print_errors_fp(stderr); SSL_CTX_free(ctx); return 0; } /* Setup the connection */ bio = BIO_new_ssl_connect(ctx); /* Set the SSL_MODE_AUTO_RETRY flag */ BIO_get_ssl(bio, ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* Create and setup the connection */ BIO_set_conn_hostname(bio, the host I use:https); if(BIO_do_connect(bio) = 0) { fprintf(stderr, Error attempting to connect\n); ERR_print_errors_fp(stderr); BIO_free_all(bio); SSL_CTX_free(ctx); return 0; } /* Check the certificate */ if(SSL_get_verify_result(ssl) != X509_V_OK) { fprintf(stderr, Certificate verification error: %i\n, SSL_get_verify_result(ssl)); BIO_free_all(bio); SSL_CTX_free(ctx); return 0; } /* Send the request */ BIO_write(bio, request, strlen(request)); /* Read in the response */ for(;;) { p = BIO_read(bio, r, 1023); if(p = 0) break; r[p] = 0; printf(%s, r); } /* Close the connection and free the context */ BIO_free_all(bio); SSL_CTX_free(ctx); return 0; } I am trying to connect to two diferent hosts... and i get diferent errors: from the first: Certificate verification error: 19 the second: Certificate verification error: 20 I am using the same TrustStore.pem for both of them... but I can connect without a problem to for example: www.verisign.com I dont have experience on SSL, so please, answer me saying specifics things to follow. Maria __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_verify_result(ssl)
On Fri, Mar 29, 2002 at 08:14:19PM +0530, biswaksen wrote: I have written a client/server code using openssl. when i am verifying the server certificate on the client side and also the client certificate on the server side the verification fails. On the client side , SSL_get_verify_result(ssl) returns code 18. which is : 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate i have the server certificate on the client side and i am using this function in my client code. if (SSL_CTX_load_verify_locations(ctx,CERTF,HOME) = 0 ) { ERR_print_errors_fp(stderr); exit(3); } where CERTF is server certificate and HOME is the certificate path. i have used verify command to check the server certificate which the server is sending to the client and the certificate the client is having on its side. this command gives OK. then i dont know where is the problem. Please tell me why it fails. It should work in the way described. Please make sure that you have building against a recent version of the OpenSSL library, as the option to supply self signed certificates in the CAfile has only been added recently. Please also check out, whether the certificate is correctly loaded from CERTF. HOME is not needed when the certificate in question is already contained in CERTF. Put only the cert in question into CERTF and set the CApath argument to NULL for testing. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_get_verify_result(ssl)
Hi, I have written a client/server code using openssl. when i am verifying the server certificate on the client side and also the client certificate on the server side the verification fails. On the client side , SSL_get_verify_result(ssl) returns code 18. which is : 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate i have the server certificate on the client side and i am using this function in my client code. if (SSL_CTX_load_verify_locations(ctx,CERTF,HOME) = 0 ) { ERR_print_errors_fp(stderr); exit(3);} where CERTF is server certificate and HOME is the certificate path. i have used verify command to check the server certificate which the server is sending to the client and the certificate the client is having on its side. this command gives OK. then i dont know where is the problem. Please tell me why it fails. biswaksen