Reputation: 11
How can i include my certificate chain and private key in a tls server using openssl library?
I am trying to write a c code to implement a tls socket using openssl. The server has a certificate chain with 4 certificates: leaf certificate - intermediate1 certificate -intermediate2 certificate - root certificate I init everything in the order:
SSL_library_init()
SSL_load_error_strings()
OpenSSL_add_ssl_algorithms()
When ctx config is:
SSL_ctx_set_cipher_list()
SSL_ctx_use_certificate_chain("",pem)
SSL_ctx_use_certificate_file("",pem) (1)
SSL_ctx_use_PrivateKey(".key",pem)
I get the error "unknown ca" which is guess because calling SSL_ctx_use_certificate_file discards SL_ctx_use_certificate_chain and thus, the client cannot verify the server certificate. When ctx config is:
SSL_ctx_set_cipher_list()
SSL_ctx_use_certificate_chain("",pem) (2)
SSL_ctx_use_PrivateKey(".key",pem)
I get a certificate-key mismatch error. I formed the chain using:
cat server.pem intermediate1.pem intermediate2.pem > chain.pem
so i haven't included the root certificate in the chain since the client already has it. I would expect (2) to work since the private key is the key corresponding to the server.pem certificate which is at the top of the chain.
-How should i include the chain in the c code in a way that i don't get a key-cert. mismatch error? I found a this function:
SSL_CTX_add_extra_chain_cert()
but i could not understand how to use it. The second argument of this function is X509* so how should i load and input it to this function. -Is there a function in openssl that loads the certificate from memory? Note that my certificates are all in pem format and this X509 confuses me since i am not really familiar with cert. data types. -Do i need to use
SSL_CTX_load_verify_locations()
function on the server side if i am not asking the client for its certificates?
EDIT:
SSL *ssl;
SSL_CTX *ctx;
void configure_context(SSL_CTX *ctx)
{
if(SSL_CTX_set_cipher_list(ctx,CIPHER_LIST) <= 0)
{
ERR_print_errors_fp(stderr);
}
if(SSL_CTX_use_certificate_chain_file(ctx,"/var/lib/certs/chain.pem") <= 0)
{
ERR_print_errors_fp(stderr);
}
if (SSL_CTX_use_PrivateKey_file(ctx, "/var/lib/certs/private.key", X509_FILETYPE_PEM) <= 0 ) {
ERR_print_errors_fp(stderr);
}
}
bool sslAcceptSocket()
{
SSL_library_init();
init_openssl();
ctx = create_context();
configure_context(ctx);
ssl = SSL_new(ctx);
SSL_set_fd(ssl, acceptedSocket);
static int err = 0;
err = SSL_accept(ssl);
if(err < 1)
{
DEBUG_PRINT("SSL Error: %d\n",err);
ERR_print_errors_fp(stderr);
return false;
}
return true;
}
acceptedSocket is the TCP socket and it works fine. However, i get key-cert mismatch error in the tls part. Replacing
SSL_CTX_use_certificate_chain_file(ctx,"/var/lib/certs/chain.pem")
with
SSL_CTX_use_certificate_file(ctx,"/var/lib/certs/leaf.pem")
solves the key-cert. mismatch problem but then i get "unknown ca" error (as expected)
Upvotes: 0
Views: 1191
Answers (1)
Reputation: 11
The problem was due to the certificates and the key so the code in the "EDIT" part of the question actually works with the correct certificates.
Upvotes: 0
Related Questions
- Openssl : error "self signed certificate in certificate chain"
- How to add certificate chain to keystore?
- TLS with Certificate, Private Key and Pass Phrase
- openssl create certificate and key
- SSL_CTX_set_cert_verify_callback to get the chain list
- How to verify certificate chain with openssl
- How to add SSLC certificates in a unix server
- How to pass custom certificate in openssl command line
- Add certificate to trusted certificates
- How do I create a Gnutls-Client which sends its certificate to the server?