Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Dear Viktor, that's quite an detailed elaboration. I have learned something from what you posted, but as far as this problem is concerned, we we're able to get rid of your problems by upgrading to OpenSSL 1.1.0g. I'm sure what you conveyed will be of help when diagnosing future OpenSSL problems, which, I have no doubt, will arise sooner or later. Thank you for your help! Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
> On Dec 28, 2017, at 4:54 AM, Manuel Wagesreither wrote: > > Thanks for your feedback. Unfortunately I cannot include the certificate raw > data as it may contain sensitive information. Also, I'm unable to replace > them with self-made certificates as I don't know the parameters the original > ones were created with in the first place. The original creators are > inaccessible at the moment. If the problem persists, I will reproduce the > problem with test certificates (whose raw data I can publish) in a few weeks. You should be able to publish edited output of: openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -text -noout With any sensitive values hand-replaced with "censored-NNN" where the "NNN" part uniquely corresponds to each original value (same values get same "NNN", distinct values get distinct "NNN"). The "chain.pem" file should have the leaf certificate first, then its issuer, then the issuer of that certificate, ... up to the trust anchor. Please also make sure that the chain in question passes (with OpenSSL 1.1.0 per your report) is reported verified with: $ openssl verify -no-CApath -no-CAfile \ -trusted root.pem -untrusted chain.pem \ chain.pem Where "root.pem" contains just the last certificate from the chain.pem file. Post the output of that command for 1.1.0. Please also report similar output for 1.0.2, with the command modified to: $ capath=$(mktemp -d empty.XX) $ cafile=root.pem $ openssl verify -CApath $capath -CAfile root.pem \ -trusted root.pem -untrusted chain.pem \ chain.pem Again, if anything in the output is sensitive, censor the values, with "censoredNNN" matching the replacements in the certificate chain. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Thanks for your feedback. Unfortunately I cannot include the certificate raw data as it may contain sensitive information. Also, I'm unable to replace them with self-made certificates as I don't know the parameters the original ones were created with in the first place. The original creators are inaccessible at the moment. If the problem persists, I will reproduce the problem with test certificates (whose raw data I can publish) in a few weeks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
> On Dec 21, 2017, at 6:42 AM, Manuel Wagesreither wrote:
>
>
> #include
> #include
> #include
>
> unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and so on */
> };
> unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };
Eliding the certificate data makes it very difficult to provide
meaningful feedback.
>
> int main(int, char**)
> {
> // This holds the return codes and gets reused for most function calls
> int rc = 0;
>
> // Make a new store
> X509_STORE *x509_store = X509_STORE_new();
> if (x509_store == NULL) {
> throw std::runtime_error("X509_STORE_new() failed");
> }
>
> // Load and convert the authoritys certificate to a compatible form
> X509 *auth_cert = NULL;
> {
> const unsigned char* auth_cert_ptr = g_authority;
> auth_cert = d2i_X509(NULL, &auth_cert_ptr, sizeof(g_authority));
> if (auth_cert == nullptr) {
> throw std::runtime_error("d2i_X509() failed for
> authoritys certificate");
> }
> }
>
> // Add the authoritys certificate to the store
> rc = X509_STORE_add_cert(x509_store, auth_cert);
> if (rc != 1) {
> throw std::runtime_error("X509_STORE_add_cert() failed");
> }
>
> // Make a new store context
> X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
> if (x509_store_ctx == NULL) {
> throw std::runtime_error("X509_STORE_CTX_new() failed");
> }
>
> // Load and convert the certificate to be verified to a compatible form
> X509 *myself = NULL;
> {
> const unsigned char *my_cert_ptr = g_cert;
> myself = d2i_X509(NULL, &my_cert_ptr, sizeof(g_cert));
> if (myself == NULL) {
> throw std::runtime_error("d2i_X509() failed for own
> certificate");
> }
> }
>
> rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, NULL);
> if (rc != 1) {
> throw std::runtime_error("X509_STORE_CTX_init() failed");
> }
>
> rc = X509_verify_cert(x509_store_ctx);
>
> X509_STORE_free(x509_store);
> X509_STORE_CTX_free(x509_store_ctx);
You're freeing x509_store_ctx too early, it is used below for error
reporting.
>
> if (rc > 0) {
> std::cout <<
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) <<
> std::endl;
> return 0;
> } else {
> std::cerr <<
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) <<
> std::endl;
> std::cerr << "Error depth: " <<
> X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
> return 1;
> }
> }
Please re-post the source code with the *complete* certificate
data.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Dear all, I forgot to mention that I'm using OpenSSL 1.0.2k. Regards Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
