Certificate verification failure

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate verification failure

Yan, Bob

Dear Sir/Madam,

 

I have an application which acting as SSL server. When the application loads the root and intermediate CA files from a CA path, the handshake between my application and openssl client was failed at the point when my application was authenticating the client’s certificate. But when I bound the root CA and intermediate CA into a single pem file and reload it from my application, the handshake is successful. Could anybody help me resolve this issue? Below is the sample of my application code for loading the CA certificates:

 

if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {

    exit;

}

if (SSL_CTX_set_default_verify_paths(ctx) != 1) {

    exit;

}

if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {

    exit;

}

if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1) {

    exit;

}

SSL_CTX_set_verify_depth(ctx, chainDepths);

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);

SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);

 

Thank you very much!

Bob

 


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verification failure

Jan Just Keijser-2
Yan, Bob wrote:

>
> Dear Sir/Madam,
>
> I have an application which acting as SSL server. When the application
> loads the root and intermediate CA files from a CA path, the handshake
> between my application and openssl client was failed at the point when
> my application was authenticating the client’s certificate. But when I
> bound the root CA and intermediate CA into a single pem file and
> reload it from my application, the handshake is successful. Could
> anybody help me resolve this issue? Below is the sample of my
> application code for loading the CA certificates:
>
> if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {
>
> exit;
>
> }
>
> if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
>
> exit;
>
> }
>
> if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {
>
> exit;
>
> }
>
> if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1) {
>
> exit;
>
> }
>
> SSL_CTX_set_verify_depth(ctx, chainDepths);
>
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);
>
> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>

when you're using CA path , what are the contents of this CA path
directory? In it you should have placed the root and intermediate CA
files using special names. Instead of using "ca.pem" you need to have a
file "<hash>.0" , where <hash> is the output of "openssl x509 -hash
-noout -in ca.pem" (and similarly for the intermediate CA file).

JJK

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verification failure

Yan, Bob
Thanks Jan,

When I am using the CApath, I do have the symbolic hash link (with ".0" at the end hash) linked to my ca-root.pem certificate file and ca-intermediate.pem certificate. Any other issues which could cause this issue?

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Jan Just Keijser
Sent: Monday, February 01, 2016 1:04 AM
To: [hidden email]
Subject: Re: [openssl-users] Certificate verification failure

Yan, Bob wrote:

>
> Dear Sir/Madam,
>
> I have an application which acting as SSL server. When the application
> loads the root and intermediate CA files from a CA path, the handshake
> between my application and openssl client was failed at the point when
> my application was authenticating the client's certificate. But when I
> bound the root CA and intermediate CA into a single pem file and
> reload it from my application, the handshake is successful. Could
> anybody help me resolve this issue? Below is the sample of my
> application code for loading the CA certificates:
>
> if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {
>
> exit;
>
> }
>
> if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
>
> exit;
>
> }
>
> if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {
>
> exit;
>
> }
>
> if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1)
> {
>
> exit;
>
> }
>
> SSL_CTX_set_verify_depth(ctx, chainDepths);
>
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);
>
> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>

when you're using CA path , what are the contents of this CA path directory? In it you should have placed the root and intermediate CA files using special names. Instead of using "ca.pem" you need to have a file "<hash>.0" , where <hash> is the output of "openssl x509 -hash -noout -in ca.pem" (and similarly for the intermediate CA file).

JJK

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verification failure

Jan Just Keijser-2
Yan, Bob wrote:
> Thanks Jan,
>
> When I am using the CApath, I do have the symbolic hash link (with ".0" at the end hash) linked to my ca-root.pem certificate file and ca-intermediate.pem certificate. Any other issues which could cause this issue?
>  
what happens if you run
  openssl verify -CApath <dir>   client.crt

? is that certificate correctly verified?

HTH,

JJK

> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf Of Jan Just Keijser
> Sent: Monday, February 01, 2016 1:04 AM
> To: [hidden email]
> Subject: Re: [openssl-users] Certificate verification failure
>
> Yan, Bob wrote:
>  
>> Dear Sir/Madam,
>>
>> I have an application which acting as SSL server. When the application
>> loads the root and intermediate CA files from a CA path, the handshake
>> between my application and openssl client was failed at the point when
>> my application was authenticating the client's certificate. But when I
>> bound the root CA and intermediate CA into a single pem file and
>> reload it from my application, the handshake is successful. Could
>> anybody help me resolve this issue? Below is the sample of my
>> application code for loading the CA certificates:
>>
>> if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1)
>> {
>>
>> exit;
>>
>> }
>>
>> SSL_CTX_set_verify_depth(ctx, chainDepths);
>>
>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);
>>
>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>>
>>    
>
> when you're using CA path , what are the contents of this CA path directory? In it you should have placed the root and intermediate CA files using special names. Instead of using "ca.pem" you need to have a file "<hash>.0" , where <hash> is the output of "openssl x509 -hash -noout -in ca.pem" (and similarly for the intermediate CA file).
>
> JJK
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>  

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verification failure

Yan, Bob
Hi Jan,

The problem is due to the mis-matched version between openssl library (used by application) and openssl executable. Basically the CA/Intermediate CA certificate hash is calculated different between two versions.

Thank you for your help!
Bob
   
-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Jan Just Keijser
Sent: Wednesday, February 03, 2016 8:17 AM
To: [hidden email]
Subject: Re: [openssl-users] Certificate verification failure

Yan, Bob wrote:
> Thanks Jan,
>
> When I am using the CApath, I do have the symbolic hash link (with ".0" at the end hash) linked to my ca-root.pem certificate file and ca-intermediate.pem certificate. Any other issues which could cause this issue?
>  
what happens if you run
  openssl verify -CApath <dir>   client.crt

? is that certificate correctly verified?

HTH,

JJK

> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On
> Behalf Of Jan Just Keijser
> Sent: Monday, February 01, 2016 1:04 AM
> To: [hidden email]
> Subject: Re: [openssl-users] Certificate verification failure
>
> Yan, Bob wrote:
>  
>> Dear Sir/Madam,
>>
>> I have an application which acting as SSL server. When the
>> application loads the root and intermediate CA files from a CA path,
>> the handshake between my application and openssl client was failed at
>> the point when my application was authenticating the client's
>> certificate. But when I bound the root CA and intermediate CA into a
>> single pem file and reload it from my application, the handshake is
>> successful. Could anybody help me resolve this issue? Below is the
>> sample of my application code for loading the CA certificates:
>>
>> if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1)
>> {
>>
>> exit;
>>
>> }
>>
>> SSL_CTX_set_verify_depth(ctx, chainDepths);
>>
>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);
>>
>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>>
>>    
>
> when you're using CA path , what are the contents of this CA path directory? In it you should have placed the root and intermediate CA files using special names. Instead of using "ca.pem" you need to have a file "<hash>.0" , where <hash> is the output of "openssl x509 -hash -noout -in ca.pem" (and similarly for the intermediate CA file).
>
> JJK
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>  

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users