CODEWITHSUNDEEP
openssl
rackrd
rackrd

Reputation: 445

SSL_ERROR__SSL occurs while calling SSL_connect

I wrote code with openssl to connect the server under tls. If I load certificates from pem file it works properly. But if I load certificate from pfx file it occurs SSL_ERROR_SSL while calling SSL_connect. I don't know if the process of loading pfx file is wrong or not. The process is below.

FILE* fp = fopen("cert.pfx", "rb");
PKCS12* p12 = d2i_PKCS12_fp(fp, NULL);
PKCS12_parse(p12, NULL, &private_key, &certificate, &ca_certificates);
SSL_CTX_use_certificate(ctx, certificate);
SSL_CTX_use_PrivateKey(ctx, private_key);
SSL_CTX_check_private_key(ctx);
SSL_CTX_add_extra_chain_cert(ctx, sk_X509_value(ca_certificates, i);
SSL_CTX_add_client_CA(ctx, sk_X509_value(ca_certificates, i);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
...
SSL* ssl = SSL_new(ssl_context);
SSL_set_fd(ssl, sockfd);
SSL_connect(ssl);
...

I have tested the pfx file with other client. It works well. So the problem is not the pfx file. Is there any options of openssl would fail the connection? Or I didn't set the CA certificate correctly? The pfx file contains CAs signed by myself. But it works with other client.

I called ERR_get_error() after SSL_connect() failed. And got certificate verify failed. So I think there is something wrong in the above process of loading a pfx file. Maybe I don't add the CA certificate rightly. Can anyone tell me the right process to load a pfx.

Please help!

Upvotes: 0

Views: 4242

Answers (2)

Fauth
Fauth

Reputation: 747

Is your i variable a counter of size sk_num(ca_certificates)? If it is, try removing the line SSL_CTX_add_client_CA that I think is not suitable for clients (not sure, tough).

Also, in your error handling, put the following lines to find out the reason:

SSL_load_error_strings(); // just once
char err_msg[1024];
ERR_error_string_n(ERR_get_error(), err_msg, sizeof(err_msg));
printf("%s\n", err_msg);`

Or, also, you can try getting the SSL error directly:

int ssl_error = SSL_get_verify_result(ssl);

The resulting int can be checked in this page

Upvotes: 0

Michael
Michael

Reputation: 11

I discovered, that the order in which the certificates are added using SSL_CTX_add_extra_chain_cert does matter. The oder in which the certs are added by the PKCS12_parse must have changed from libssl 0.9.8 to libssl1.0. That is why I switched to add them to the cert-store using the code below.

X509_STORE * certStore = SSL_CTX_get_cert_store(ctx);
for(int i = 0; i < sk_X509_num(ca) ; i++)
{
    if (X509_STORE_add_cert(certStore, sk_X509_value(ca_certificates, i))==0)
    {
        ERR_print_errors_fp (stderr);
    }
}

Upvotes: 1

Related Questions