> From: owner-openssl-us...@openssl.org On Behalf Of hamid.sha...@sungard.com > Sent: Tuesday, 17 January, 2012 09:01
> I am trying to create SSL connection with a remote server > using OpenSSL in visual C++ (Visual Studio-2008, Win-7). I am > getting the following errors. Please let me know, what does > this error indicates, and how can it be rectified. > Please reply me on my email address as well, because I asked > one question few weeks back and I never saw its reply until today > when I was searching for this new problem. CCed. Note http://marc.info/?l=openssl-users&w=2&r=1&s=hamid&q=b http://www.mail-archive.com/search?q=hamid.shahid&l=openssl-users%40openssl. org both shows three posts from you: 2011/12/12-13 error:14077410 --- sslv3 alert handshake failure 2011/12/03,05 Problems with a setting certificates via OpenSSL in C++ (Windows) all with replies. (Although for some reason searching your full name in marc gives incomplete results.) If you didn't get those replies, check your incoming email isn't blocking/filtering the list. > // Error Log > .... Establishing SSL Connection .... > Socket bound with server > Starting SSL HandShake on tcp connection > SSL error # 1 in accept, program terminated 0 > 12256:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE: > certificate verify failed:.\ssl\s3_clnt.c:984: It means exactly what it says; the client logic failed to verify the server certifcate. Either: - you've connected to the wrong server - the server is using an invalid certificate - you aren't using the correct CA cert(s) (root, and possibly chain if server doesn't supply it/them). In particular your log excerpt doesn't indicate if you executed your LoadCertificates() before you executed ConnectSSL(). If not (and you don't have the CA cert(s) in the default truststore) client verify of server will fail; since your LoadCertificates() also loads the client key&cert, it would also cause server verify of client if used to fail, but the handshake doesn't get that far. If you are doing LoadCertificates first and with the correct cert(s), then to get a more detailed error you can add a verify callback (perhaps only temporarily for debugging), or probably easier you can do the same connection attempt with commandline openssl s_client (which already displays the verify callback events in readable form). Several other comments on your code: - your log message says "error # in accept" when it's actually in SSL_connect. - functions of the form ConnectSSL(args...){...} are not valid C++. The return type is required in C++ except for ctors (and dtors), and not only would that be a stupid name for a class and (thus) ctor, but the two functions you show must share data but can't possibly be ctors of one class. My VC++08Express gives error C4430, as it should; there may be some option to crank this down, but you shouldn't. - except for _passwd_cb_userdata, all of your (char*) casts are unneeded clutter because they are in places that accept const char *. And in the one place you do need it, good C++ style is to use the least powerful new-style cast needed, here const_cast<>. - your error cleanup is inconsistent and probably wrong in some places depending on how these functions are used, but I'll assume you just haven't gotten to that yet. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
