Reputation: 1546
SSL_connect() produces certificate verify failure
I'm currently rewriting some existing technologies that were once using RSA Security's libraries into OpenSSL, but I'm starting to run into a few issues. Currently, all of the certificate verification code appears to be running without a hitch, until that is, I call SSL_connect().
Before, the call to SSL_connect() would produce SSL_ERROR_WANT_READ.
An answer to this issue on another forum suggested to me that SSL_connect() should be called until it stops producing SSL_ERROR_WANT_READ errors. Unforunately, this only produces something more confusing:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
even though SSL_CTX_load_verify_locations() succeeds. Does anyone have any idea as to why a verification error wouldn't register with certificate methods and wait until SSL_connect() is triggered?
Upvotes: 4
Views: 6465
Answers (1)
Reputation: 55816
Usually this error means that the server certificate your client received in response to SSL_connect() couldn't be verified.
This can happen for different reasons:
- If the server certificate is self-signed, you'll have to authorize that on your
SSL_CONTEXT. - If the server certificate was signed by a certificate authority that is not in the list of trusted CA certificates
- If the server certificate is not valid yet or not valid anymore
Actually, you should set a callback for certificate verification and make it accept any certificate, so you can focus on the connection part. Once it works, just tweak your callback or check your certificates to be valid.
At any time you get a failure, you can call some SSL_get_error() function that will indicate you why the certificate was rejected.
(Unfortunately, I can't access my code base right now, so I cannot give concrete examples)
Here are some code samples from my own SSL Socket wrapper class, adapted for you:
// ctx is a SSL_CONTEXT
// internalCertificateVerificationCallback is a callback static method (or function)
ctx->setVerify(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, internalCertificateVerificationCallback);
Here is the definition for internalCertificateVerificationCallback:
int SecureSocket::internalCertificateVerificationCallback(int preverify_ok, X509_STORE_CTX* x509_ctx)
{
//preverify_ok contains 1 if the pre-verification succeeded, 0 otherwise.
return 1; // This accepts every certificate
}
Upvotes: 5
Related Questions
- OpenSSL in C++ Socket Connection (HTTPS Client)
- SSL_connect failing in c++ but i can connect through python
- Can't connect to host using OpenSSL in C++
- Certificate verification with BIO_do_connect()
- OpenSSL verify_callback and SSL_connect
- SSL_connect and SSL_ERROR_SYSCALL
- How do I correctly enforce OpenSSL certificates?
- openssl error SSL_ERROR_SSL in c++ application
- SSL Certificate verification fails: Using OpenSSL
- SSL_accept() throws "Invalid argument" error