Hi Dave, Thank you so much for a detailed reply and the code review.
------------------------------------- Regarding the problem: ------------------------------------- - Yes, I am calling load certificates before the trying to make a connection. According to your suggestion, I have tried to used openssl s_client to see the callback events and got the following log. But how can I add verify callback in my code? - Also, I tried by commenting the code which is loading the CA file, and in that case "SSL_connect" gives no error and works fine. Does that mean CA is not needed at all? ------------------------------------- Regarding code: ------------------------------------- - Actually both those functions are members of a class and they have return types but that got skipped when I pasted the code here. - Type casting to char * was indeed not needed. - I am using the class destructor to free the memory. However, please elaborate your point about error-cleanup. Thanks again. Kind Regards, Hamid Shahid ------------------------------------- openssl s_client Log: ------------------------------------- Loading 'screen' into random state - done CONNECTED(00000100) depth=0 /C=DE/ST=Hessen/L=Frankfurt/O=SIX Swiss Exchange AG/OU=DBAG-a-2011/CN=fixml2.eurexchange.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/ST=Hessen/L=Frankfurt/O=SIX Swiss Exchange AG/OU=DBAG-a-2011/CN=fixml2.eurexchange.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/ST=Hessen/L=Frankfurt/O=SIX Swiss Exchange AG/OU=DBAG-a-2011/CN=fixml2.eurexchange.com verify error:num=21:unable to verify the first certificate verify return:1 10720:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:.\ssl\s3_pkt.c:1102:SSL alert number 42 10720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:182: ============================================================================ -----Original Message----- From: Dave Thompson [mailto:dthomp...@prinpay.com] Sent: Wednesday, January 18, 2012 12:18 AM To: openssl-users@openssl.org Cc: Shahid, Hamid Subject: RE: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:.\ssl\s3_clnt.c:984 > From: owner-openssl-us...@openssl.org On Behalf Of hamid.sha...@sungard.com > Sent: Tuesday, 17 January, 2012 09:01 > I am trying to create SSL connection with a remote server using >OpenSSL in visual C++ (Visual Studio-2008, Win-7). I am getting the >following errors. Please let me know, what does this error indicates, >and how can it be rectified. > Please reply me on my email address as well, because I asked one >question few weeks back and I never saw its reply until today when I >was searching for this new problem. CCed. Note http://marc.info/?l=openssl-users&w=2&r=1&s=hamid&q=b http://www.mail-archive.com/search?q=hamid.shahid&l=openssl-users%40openssl. org both shows three posts from you: 2011/12/12-13 error:14077410 --- sslv3 alert handshake failure 2011/12/03,05 Problems with a setting certificates via OpenSSL in C++ (Windows) all with replies. (Although for some reason searching your full name in marc gives incomplete results.) If you didn't get those replies, check your incoming email isn't blocking/filtering the list. > // Error Log > .... Establishing SSL Connection .... > Socket bound with server > Starting SSL HandShake on tcp connection > SSL error # 1 in accept, program terminated 0 > 12256:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE: > certificate verify failed:.\ssl\s3_clnt.c:984: It means exactly what it says; the client logic failed to verify the server certifcate. Either: - you've connected to the wrong server - the server is using an invalid certificate - you aren't using the correct CA cert(s) (root, and possibly chain if server doesn't supply it/them). In particular your log excerpt doesn't indicate if you executed your LoadCertificates() before you executed ConnectSSL(). If not (and you don't have the CA cert(s) in the default truststore) client verify of server will fail; since your LoadCertificates() also loads the client key&cert, it would also cause server verify of client if used to fail, but the handshake doesn't get that far______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
