Re: [openssl-users] SSL alert number 48

Thu, 30 Nov 2017 06:46:26 -0800 

Hi,

On 29/11/17 14:37, wizard2...@gmail.com wrote:

Hi JJK,

I test you function and I've got this result:

    ok = 0
    cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
    ok = 1
    cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd


Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue? 



what you should have seen is the certificate stack, starting with the CA, and 
then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 
CA/emailAddress=open...@example.com
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly.
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates. 

HTH,

JJK




On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janj...@nikhef.nl 
<mailto:janj...@nikhef.nl>> wrote:

    Hi,

    On 28/11/17 11:03, wizard2...@gmail.com <mailto:wizard2...@gmail.com> wrote:

    Hi there.

    I guess my problem is really related to verify callback on 
SSL_CTX_set_verify function.
    I just add to my code a dummy callback returning 1 and everything works 
properly.


        int verify_callback (int ok, X509_STORE_CTX *ctx);
        int verify_callback (int ok, X509_STORE_CTX *ctx)
        {
        printf("Verification callback OK!\n");
            return 1;
        }
        ...
        SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | 
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
        ...


    The problem is that error don't tell much information about what's really 
going on or what's really missing.
    Thanks for your help.


    Now you've effectively disabled all security :)

    Try adding this to the verify_callback


    static int verify_callback(int ok, X509_STORE_CTX *ctx)
    {
        X509           *cert = NULL;
        char           *cert_DN = NULL;

        printf("ok = %d\n", ok);
        cert    = X509_STORE_CTX_get_current_cert(ctx);
        cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
        printf( "cert DN: %s\n", cert_DN);

    }


    that way, you will know whether your server is processing the right 
certificate chain.

    HTH,

    JJK





-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to