[openssl-users] [help]SSL_CTX_use_certificate_file failed!

Tue, 13 Sep 2016 06:19:13 -0700 

Hi,
I have a big problem about the OpenSSL usage, please help. OS: Linux version 
3.7.10-1.1-desktop (geeko@buildhost) (gcc version 4.7.2 20130108 
[gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 28 
15:06:29 UTC 2013 (82d3f21)OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
I create a OpenSSL client for iOS APNs client, the SSL initial function as 
below:#define CA_CERT_PATH          "./pem"
#define RSA_CLIENT_CERT     "./pem/PushChatCert.pem"
#define RSA_CLIENT_KEY       "./pem/PushChatKey.pem"bool 
CAPNSClient::InitAPNSClient()
{
    SSL_library_init();
    SSL_load_error_strings();
    ERR_clear_error();
    OpenSSL_add_all_algorithms();
 
    m_pMeth = TLS_client_method();
    m_pCtx = SSL_CTX_new(m_pMeth);
    if(NULL == m_pCtx)
    {
        ERRLOG("Could not get SSL Context");
        return false;
    }

    if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))
    {
        /* Handle failed load here */
        ERRLOG("Failed to set CA location:%s", ERR_error_string( 
ERR_get_error(), NULL ));
        return false;
    }

    if (0 == SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, 
SSL_FILETYPE_PEM))
    {
        ERRLOG("Cannot use Certificate File:%s", ERR_error_string( 
ERR_get_error(), NULL ));
        return false;
    }

    SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"XXXX");

    if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, 
SSL_FILETYPE_PEM))
    {
        ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), 
NULL ));
        return false;
    }

    if (0 == SSL_CTX_check_private_key(m_pCtx))
    {
        ERRLOG("Private key does not match the certificate public key");
        return false;
    }

    return true;
}
when the programe run, the SSL_CTX_use_certificate_file failed when load the 
certificate as attached! the error information is:  error:140AB18F:SSL 
routines:SSL_CTX_use_certificate:ee key too small
as the suggestion from r...@openssl.org last night, I use 
SSL_CTX_set_security_level(m_pCtx, 0) switch the security level from 1 to 0.  
But SSL_CTX_use_certificate_file still failed! the log chang to: 
error:140BF10C:SSL routines:ssl_set_cert:x509 lib
the weird thing is, this code and pem file work well on another server, which 
have the security level 1. So I guess the problem come from the ssl config. 
After searching, I found 2 openssl.cnf files, one on /etc/ssl/, another is on 
/usr/local/ssl. there only 4 different config between these 2 file:1. 
default_bits, one is 2048, another is 10242. basicConstraints, one is 
"critical,CA:true", another is "CA:true"3. signer_digest, one is "sha256", 
another don't have this parameter4. digests, one is "sha1, sha256, sha384, 
sha512", another is "md5, sha1"
I already debug this issue for whole day, but still don't have any progress. 
Please help me, at least guide me how to solve it. 
Thanks a lot!

Attachment: PushChatCert.pem
Description: Binary data

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to