Fwd: Error in Opening SSL Certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Error in Opening SSL Certificate

Amiya Das
Hi,

I have written an application for connecting to AzureIOT hub using AMQP protocol.
When i run the application it fails because of SSL issue stating 14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

Any help would be appreciate..
Below are the details for the OS
Yocto linux
Kernel 4.4.19-gdb0b54cdad

Info: IoT Hub SDK for C, version 1.1.19

i am not sure why this issue is appearing, it looks like an openssl issue. But i do have the openssl certificates in the below location,
"/etc/ssl/certs/ca-certificates.crt"

Following are the more information using openssl,

-sh-3.2# openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

But the actual certificates are located under /etc/ssl/ folder, so i copied all the certificates under /usr/lib/ssl folder but still there was no luck with this.
OPENSSL version 1.0.2h is currently installed.
CONNECTED(00000004)
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=*.azure-devices.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
Certificate displayed here properly

-----END CERTIFICATE-----
subject=/CN=*.azure-devices.net
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3692 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: DA000000F6835606D8F94D7184BE980E23C55D49D08BA33A8A5709A2C4763848
    Session-ID-ctx:
    Master-Key: EE1BEBA238F3B31AB83419452937BEB989E8A0BEB018E5D77B1148903BA35905D86DDF43F2745F593EE73AF0481F6819
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502367353
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Thanks,
Amiya.






--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Error in Opening SSL Certificate

Viktor Dukhovni
On Thu, Aug 10, 2017 at 06:27:41PM +0530, Amiya Das wrote:

> I have written an application for connecting to AzureIOT hub using AMQP
> protocol.
> When i run the application it fails because of SSL issue stating *14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed.*

This means that the certificate chain presented does not chain up
to a locally trusted root CA, or is expired, or some other chain
verification problem.  You need to determine what certificates are
presented by the remote peer, what trust anchors (root CAs) you're
using and why the chain does not verify against these trust-anchors.

> Any help would be appreciate..
> Below are the details for the OS
> Yocto linux
> Kernel 4.4.19-gdb0b54cdad
>
> Info: IoT Hub SDK for C, version 1.1.19

That's largely irrelevant.

> i am not sure why this issue is appearing, it looks like an openssl issue.
> But i do have the openssl certificates in the below location,
> "/etc/ssl/certs/ca-certificates.crt"

That's not where OpenSSL will look by default, unless:

> Following are the more information using openssl,
>
> -sh-3.2# openssl version -d
> OPENSSLDIR: "/usr/lib/ssl"

OpenSSL will by default look in:

    <OPENSSLDIR>/certs.pem - PEM file with multiple trusted certificates
    <OPENSSLDIR>/certs/ - Directory with certificate files "hashed" via c_rehash

Perhaps you have symlinks in place that lead to ca-certificates.crt,
or code to populate the /certs/ directory, but otherwise you'll
need such links, or the application will need to explicity set the
appropriate CAfile or CApath.

>     Verify return code: 20 (unable to get local issuer certificate)

Your CAfile/CApath do not contain a trust-anchor that verifies the
given chain.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...