CODEWITHSUNDEEP
opensslssl-certificate
madhavi_ev
madhavi_ev

Reputation: 21

OpenSSL certificate error

I am writing a program with OpenSSL library, to establish a SSL POP connection with other server (E.g. Gmail). For this, I have generated a self signed certificate using OpenSSL and verified it.

./openssl verify -CAfile /home/melluru/openssl/ssl/certs/cert.pem
           /home/melluru/openssl/ssl/certs/cert.pem
>/home/melluru/openssl/ssl/certs/cert.pem: OK

The verify option of OpenSSL tools gives 'OK' result. But when I use the below in my program to load the certtificate and verify the result, I am getting the error

/** to add the cert file**/  
if(!(SSL_CTX_use_certificate_file(ctx,"/home/melluru/openssl/ssl/certs/cert.pem",
                             SSL_FILETYPE_PEM)))
    printf("Cant read certificate file\n");
/** to add the private key ***/
if(!(SSL_CTX_use_PrivateKey_file(ctx,"/home/melluru/openssl/ssl/certs/cert.pem",
                           SSL_FILETYPE_PEM)))
    printf("Cant read keyfile\n");
/** to cadd the trusted cert **/   
if(SSL_CTX_load_verify_locations(ctx,"/home/melluru/openssl/ssl/certs/cert.pem",
                             NULL) != 1) {
    printf("loading trust certificate failed\n");
    SSL_CTX_free(ctx);
    return 0;
}

/*** BIO code to connect to gmail server *****/

printf("ssl verify error is %d\n",SSL_get_verify_result(ssl));

I am getting error 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
Can anyone help? Is there anything still I need to add?

Upvotes: 1

Views: 6841

Answers (1)

Fauth
Fauth

Reputation: 747

Since your certificate is self signed, you can use it to check its signature, like you did by using openssl verifycommand line.

However, when you try to establish an SSL connection, what you want to verify is not your certificate, but the certificate you are receiving from the server (or client).

In the line SSL_CTX_load_verify_locations you have to point to the certificate chain which you'll trust. It is this chain that will be checked against the certificate you are receiving trough the handshake protocol.

I've never worked with an environment like the one you are describing, but you are saying you want to connect to gmail, so it must be gmail's certificate chain in the line SSL_CTX_load_verify_locations

That's why you are receiving the error "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY". OpenSSL could not find the issuer cert locally (in the chain you've put trough the method SSL_CTX_load_verify_locations) of the certificate you are receiving.

Upvotes: 2

Related Questions