CODEWITHSUNDEEP
clinuxsslopensslrhel
Anirban
Anirban

Reputation: 580

C: client program reports SSL Certificate verify failed error with localCA

I am writing a simple TLS client/server program to securely communicate over the network. Initially I am building and running both the client and server on the same machine running RHEL 8.2.

First, I am using custom self signned ssl certificate and key for my programs. I have placed the rootCA.crt (my custom CA certificate in /root/CA/rootCA.crt). Also copied the rootCA.pem to /etc/pki/ca-trust/source/anchors/ and executed update-ca-trust enable then update-ca-trust extract to install the certificate to the system. (Not sure if I need to reboot the system for it to take effect.)

Initially, the client and server were able to communicate usint TLS untill I added the certificate validation part of the code on the client side.

Certificate Verification snippet:

ctx = SSL_CTX_new(method);   /* Create new context */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }

    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);

    SSL_CTX_set_verify_depth(ctx, 4);

    const long flags = SSL_OP_NO_SSLv2 |
                        SSL_OP_NO_SSLv3 |
                        SSL_OP_NO_TLSv1 |
                        SSL_OP_NO_TLSv1_1 |
                        SSL_OP_NO_COMPRESSION;
    SSL_CTX_set_options(ctx, flags);

    if(SSL_CTX_load_verify_locations(ctx, NULL, 
                "/root/CA/") == 0){
        ERR_print_errors_fp(stderr);
        abort();
    }

ssl = SSL_new(ctx);      /* create new SSL connection state */
    SSL_set_fd(ssl, server);    /* attach the socket descriptor */
    if ( SSL_connect(ssl) == FAIL )   /* perform the connection */
        ERR_print_errors_fp(stderr);
    else
    {

        sprintf(acClientRequest, "%s", cpRequestMessage);   /* construct reply */
        printf("\n\nConnected with %s encryption\n", SSL_get_ciphe

}

when I run the server and client programs I see the following error messafe =>

Onclient: 140736372886336:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:

On Server: 140736022137664:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1543:SSL alert number 48

Not sure, what is going wrong with the certificate validation process. Can anyone suggest me how to fix this error?

Upvotes: 0

Views: 1506

Answers (1)

Robert
Robert

Reputation: 42734

Just copying your rootCA.crt file into /root/CA/ is not enough.

SSL_CTX_load_verify_locations explicitly states that the files in this directory have to use a specific format:

If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility to create the necessary links.

Therefore make sure your rootCa.crt is in PEM format. And then generate the required hash and rename it accordingly. The following command generates the hashvalue. Rename the file to <hashvalue>.0.

openssl x509 -inform PEM -subject_hash_old -in rootCa.crt | head -1

If your code then still does not work I would first test if your code works at all. For doing so change the server URL to a real server that sues an HTTPS certificate that is already trusted on your system.

Upvotes: 1

Related Questions