CA for IIS-issued self-signed certificate?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

CA for IIS-issued self-signed certificate?

Charles Mills
[Incorrectly initially posted in dev.]

Please bear with me; I'm a real SSL newbie. I am attempting to develop my first SSL program, an SSL/TLS client that will communicate with a commercial SSL server product (Kiwi Server) that is running on a VM on my system.

Kiwi *only* accepts IIS-issued certificates. I issued a certificate using IIS 7.5 Manager "Issue Self-Signed Certificate." Windows 7 says "This certificate is OK."

My client follows the general scheme of the client in Chapter 5 of the O'Reilly OpenSSL book. I know am getting the certificate back correctly from the server because the FQDN in the certificate is correct.

But if I turn on SSL_CTX_set_verify(SslCtx, SSL_VERIFY_PEER, NULL) in my client then SSL_connect(SslObj) fails with 8140:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:.\ssl\s3_clnt.c:1166:

In my context setup I am doing SSL_CTX_load_verify_locations(SslCtx, "path of IIS certficate in PEM format", NULL) and SSL_CTX_set_default_verify_paths(SslCtx) with no error. Obviously that is incorrect or insufficient.

Can anyone point me at what I should be doing differently? Thanks much,
Reply | Threaded
Open this post in threaded view
|

RE: CA for IIS-issued self-signed certificate?

Dave Thompson-5
> From: [hidden email] On Behalf Of CharlesTSR
> Sent: Friday, 10 August, 2012 16:48

> Please bear with me; I'm a real SSL newbie. I am attempting
> to develop my
> first SSL program, an SSL/TLS client that will communicate
> with a commercial
> SSL server product (Kiwi Server) that is running on a VM on
> my system.
>
> Kiwi *only* accepts IIS-issued certificates. I issued a
> certificate using
> IIS 7.5 Manager "Issue Self-Signed Certificate." Windows 7 says "This
> certificate is OK."
>
> My client follows the general scheme of the client in Chapter 5 of the
> O'Reilly OpenSSL book. I know am getting the certificate back
> correctly from
> the server because the FQDN in the certificate is correct.
>
> But if I turn on SSL_CTX_set_verify(SslCtx, SSL_VERIFY_PEER,
> NULL) in my
> client then SSL_connect(SslObj) fails with 8140:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:.\ssl\s3_clnt.c:1166:
>
> In my context setup I am doing
> SSL_CTX_load_verify_locations(SslCtx, "path
> of IIS certficate in PEM format", NULL) and
> SSL_CTX_set_default_verify_paths(SslCtx) with no error.
> Obviously that is
> incorrect or insufficient.
>
If you call load_verify_locations and subsequently call
set_default_verify_paths, the later call overrides and
(only) the default file and/or directory are used.
If you don't have the server selfsigned cert there --
and for Windows, depending on the build, the default(s)
may not even exist or be writable -- nothing will verify.

Use just load_verify_locations.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CA for IIS-issued self-signed certificate?

Charles Mills
> If you ... subsequently call set_default_verify_paths, the later call
overrides and
> (only) the default file and/or directory are used.

Thanks. I wondered about that. I commented it out though and still get
exactly the same result.

I also added a certificate verify callback. I come through there and get

  err 20:unable to get local issuer certificate

Charles


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CA for IIS-issued self-signed certificate?

Charles Mills
In reply to this post by Dave Thompson-5
I wondered if perhaps there were path or filename specification problems
(need to escape backslashes? a problem with embedded spaces?) but I
eliminated all of those variables -- put the certificate with a "simple"
name in the current path.

What do I look for? How do I get more granularity than "unable to get local
issuer certificate"?

I'm using a pre-built Windows distribution of OpenSSL 1.0.1c. It will take
some re-arrangement to be able to trace into OpenSSL.

64-bit Windows, if that matters.

Charles
-----Original Message-----
From: Charles Mills [mailto:[hidden email]]
Sent: Friday, August 10, 2012 8:54 PM
To: '[hidden email]'
Subject: RE: CA for IIS-issued self-signed certificate?

> If you ... subsequently call set_default_verify_paths, the later call
overrides and
> (only) the default file and/or directory are used.

Thanks. I wondered about that. I commented it out though and still get
exactly the same result.

I also added a certificate verify callback. I come through there and get

  err 20:unable to get local issuer certificate

Charles


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CA for IIS-issued self-signed certificate?

Dave Thompson-5
> From: [hidden email] On Behalf Of Charles Mills
> Sent: Saturday, 11 August, 2012 08:57

> I wondered if perhaps there were path or filename
> specification problems
> (need to escape backslashes? a problem with embedded spaces?) but I
> eliminated all of those variables -- put the certificate with
> a "simple"
> name in the current path.
>
If the filename can't be opened SSL_CTX_load_verify_locations
returns false. Your code does check for that, I hope.

FWIW, the Windows *API* has no problem with space in filename
(unlike some Windows *UIs*). And it actually accepts either slash
or backslash separator (and sometimes slash is more convenient).

> What do I look for? How do I get more granularity than
> "unable to get local
> issuer certificate"?
>
Top-level cut: do you get the same error (verify 20) with s_client?
If so, the problem is either the cert or the truststore, and you're
confident of the truststore. Make sure the description as self-signed
(or at least self-issued) is correct, i.e. the Subject and Issuer
names are *exactly* the same. If s_client works, the problem is
almost certainly (say 99.9%) in your code.

This reminds me of one possibility that came up with someone else
a few weeks ago: if your self-signed cert has a KeyUsage extension
that does not include certSign, OpenSSL skips it for chain-building,
resulting in verify 20. If you look at the cert with the usual
Windows tools (inetcpl, CryptExtOpenCER, mmc) you should be able
to see if KeyUsage is present and if so what is in it, or you can
use commandline openssl x509 -text.

If neither of the above, you probably do need to debug, but:

> I'm using a pre-built Windows distribution of OpenSSL 1.0.1c.
> It will take
> some re-arrangement to be able to trace into OpenSSL.
>
That's unfortunate.

> 64-bit Windows, if that matters.
>
It shouldn't, but if there's a bug somewhere, it might.

<snip previous>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CA for IIS-issued self-signed certificate?

Charles Mills
Dave -

Thanks much!

> If the filename can't be opened SSL_CTX_load_verify_locations returns
false. Your code does check for that, I hope.

Good to know. Thanks. (Sometime APIs just "stash" a name somewhere for use
later.) Yes, I check every return code and put out a good error message if
the call fails.

> the Windows *API* has no problem with space in filename (unlike some
Windows *UIs*).

Like, say, VBA, or at least the MS-Word fields.

> And it actually accepts either slash or backslash separator

Right, I knew that, but I should remember it with MS-Word (which I use a lot
for documentation). Not having to escape \ would be a small step forward.
Thanks.

> Make sure ... the Subject and Issuer names are *exactly* the same

> if your self-signed cert has a KeyUsage extension that does not include
certSign,
> OpenSSL skips it for chain-building, resulting in verify 20.

Looks like the latter to me. Please look below and tell me if you don't
agree. If so, I fear it is unsolvable, but it does not really matter as the
Kiwi is just for testing and if I know why it is failing that is almost as
good as it succeeding. I can bypass the verify failure and use it to test
everything else. My own client and server with a more conventional cert and
CA setup is verifying.

Here is a little of the s_client output:

depth=0 /CN=KiwiServer
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=KiwiServer
verify error:num=21:unable to verify the first certificate
verify return:1

And here is the certificate -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            62:72:81:ef:1c:37:e2:9b:4f:ce:08:bb:a6:bf:82:03
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=KiwiServer
        Validity
            Not Before: Jul 27 21:05:20 2012 GMT
            Not After : Jul 27 00:00:00 2013 GMT
        Subject: CN=KiwiServer
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha1WithRSAEncryption
        <snip>
-----END CERTIFICATE-----

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dave Thompson
Sent: Monday, August 13, 2012 7:09 PM
To: [hidden email]
Subject: RE: CA for IIS-issued self-signed certificate?

> From: [hidden email] On Behalf Of Charles Mills
> Sent: Saturday, 11 August, 2012 08:57

> I wondered if perhaps there were path or filename specification
> problems (need to escape backslashes? a problem with embedded spaces?)
> but I eliminated all of those variables -- put the certificate with a
> "simple"
> name in the current path.
>
If the filename can't be opened SSL_CTX_load_verify_locations returns false.
Your code does check for that, I hope.

FWIW, the Windows *API* has no problem with space in filename (unlike some
Windows *UIs*). And it actually accepts either slash or backslash separator
(and sometimes slash is more convenient).

> What do I look for? How do I get more granularity than "unable to get
> local issuer certificate"?
>
Top-level cut: do you get the same error (verify 20) with s_client?
If so, the problem is either the cert or the truststore, and you're
confident of the truststore. Make sure the description as self-signed (or at
least self-issued) is correct, i.e. the Subject and Issuer names are
*exactly* the same. If s_client works, the problem is almost certainly (say
99.9%) in your code.

This reminds me of one possibility that came up with someone else a few
weeks ago: if your self-signed cert has a KeyUsage extension that does not
include certSign, OpenSSL skips it for chain-building, resulting in verify
20. If you look at the cert with the usual Windows tools (inetcpl,
CryptExtOpenCER, mmc) you should be able to see if KeyUsage is present and
if so what is in it, or you can use commandline openssl x509 -text.

If neither of the above, you probably do need to debug, but:

> I'm using a pre-built Windows distribution of OpenSSL 1.0.1c.
> It will take
> some re-arrangement to be able to trace into OpenSSL.
>
That's unfortunate.

> 64-bit Windows, if that matters.
>
It shouldn't, but if there's a bug somewhere, it might.

<snip previous>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CA for IIS-issued self-signed certificate?

Dave Thompson-5
> From: [hidden email] On Behalf Of Charles Mills
> Sent: Tuesday, 14 August, 2012 08:09
<snip>

> > if your self-signed cert has a KeyUsage extension that does
> > not include certSign,
> > OpenSSL skips it for chain-building, resulting in verify 20.
>
> Looks like the latter to me. Please look below and tell me if
> you don't
> agree. If so, I fear it is unsolvable, but it does not really
> matter as the
> Kiwi is just for testing and if I know why it is failing that
> is almost as
> good as it succeeding.
<snip>
> Certificate:
<snip>
>         X509v3 extensions:
>             X509v3 Key Usage:
>                 Key Encipherment, Data Encipherment

Yes, that's KeyUsage without certSign. Since problem-understood
is sufficient for you in this situation, fine.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]