Re: [openssl-users] SSL alert number 48

Tue, 28 Nov 2017 02:04:02 -0800 

Hi there.

I guess my problem is really related to verify callback
on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works
properly.


> int verify_callback (int ok, X509_STORE_CTX *ctx);
> int verify_callback (int ok, X509_STORE_CTX *ctx)
> {
>     printf("Verification callback OK!\n");
>     return 1;
> }
> ...
> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
> ...


The problem is that error don't tell much information about what's really
going on or what's really missing.
Thanks for your help.

Kind regards.


On Tue, Nov 28, 2017 at 9:11 AM, Jan Just Keijser <janj...@nikhef.nl> wrote:

> Hi,
>
> On 27/11/17 17:07, wizard2...@gmail.com wrote:
>
> Hi there.
>
> I'm getting this error on a TLS server&client that I'm implementing and I
> can't really understand what I'm doing wrong.
>
> 139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
>> unknown ca:s3_pkt.c:1487:SSL alert number 48
>> 139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake
>> failure:s23_lib.c:177:
>
>
> This is the code of my server: https://pastebin.com/Fyuki8v0 and I
> generate the certificates this way: https://pastebin.com/CDRKU2Gc
> And I'm testing the server this way: openssl s_client -host 127.0.0.1
> -port 4444 -cert client.crt -key client.key -CAfile ca.crt
>
> If I run a server this way openssl s_server -key server.key -cert
> server.crt -CAfile ca.crt -accept 4444
> I'm able to communicate with the same certificates and on my server code I
> always get:
>
>> Handshake Error 1
>> SSL_ERROR_SSL...
>
>
> This is the result of openssl s_client command:
> https://pastebin.com/AWid1mxi
>
> FWIW: I've downloaded and compiled your code, generated certs using your
> script (which generates a client and server cert with the same serial
> number, BTW) and ran the code: I can connect just fine using either openssl
> 1.0.1e or 1.1.0e
>
> My bet is that when you run your code you are not loading the right ca.crt
> file ; another way to debug is , is to add a x509 verify callback which
> prints out each cert as it is passed for verification.
>
> HTH,
>
> JJK
>
>

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to