SSL alert number 48

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL alert number 48

wizard2010
Hi there.

I'm getting this error on a TLS server&client that I'm implementing and I can't really understand what I'm doing wrong.

139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1487:SSL alert number 48
139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

This is the code of my server: https://pastebin.com/Fyuki8v0 and I generate the certificates this way: https://pastebin.com/CDRKU2Gc
And I'm testing the server this way: openssl s_client -host 127.0.0.1 -port 4444 -cert client.crt -key client.key -CAfile ca.crt

If I run a server this way openssl s_server -key server.key -cert server.crt -CAfile ca.crt -accept 4444
I'm able to communicate with the same certificates and on my server code I always get:
Handshake Error 1
SSL_ERROR_SSL...
 
This is the result of openssl s_client command: https://pastebin.com/AWid1mxi

Any idea what's happening to get this error?

Kind regards.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Jan Just Keijser-2
Hi,

On 27/11/17 17:07, [hidden email] wrote:
Hi there.

I'm getting this error on a TLS server&client that I'm implementing and I can't really understand what I'm doing wrong.

139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1487:SSL alert number 48
139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

This is the code of my server: https://pastebin.com/Fyuki8v0 and I generate the certificates this way: https://pastebin.com/CDRKU2Gc
And I'm testing the server this way: openssl s_client -host 127.0.0.1 -port 4444 -cert client.crt -key client.key -CAfile ca.crt

If I run a server this way openssl s_server -key server.key -cert server.crt -CAfile ca.crt -accept 4444
I'm able to communicate with the same certificates and on my server code I always get:
Handshake Error 1
SSL_ERROR_SSL...
 
This is the result of openssl s_client command: https://pastebin.com/AWid1mxi

FWIW: I've downloaded and compiled your code, generated certs using your script (which generates a client and server cert with the same serial number, BTW) and ran the code: I can connect just fine using either openssl 1.0.1e or 1.1.0e

My bet is that when you run your code you are not loading the right ca.crt file ; another way to debug is , is to add a x509 verify callback which prints out each cert as it is passed for verification.

HTH,

JJK


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

wizard2010
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Kind regards.


On Tue, Nov 28, 2017 at 9:11 AM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 27/11/17 17:07, [hidden email] wrote:
Hi there.

I'm getting this error on a TLS server&client that I'm implementing and I can't really understand what I'm doing wrong.

139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1487:SSL alert number 48
139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

This is the code of my server: https://pastebin.com/Fyuki8v0 and I generate the certificates this way: https://pastebin.com/CDRKU2Gc
And I'm testing the server this way: openssl s_client -host 127.0.0.1 -port 4444 -cert client.crt -key client.key -CAfile ca.crt

If I run a server this way openssl s_server -key server.key -cert server.crt -CAfile ca.crt -accept 4444
I'm able to communicate with the same certificates and on my server code I always get:
Handshake Error 1
SSL_ERROR_SSL...
 
This is the result of openssl s_client command: https://pastebin.com/AWid1mxi

FWIW: I've downloaded and compiled your code, generated certs using your script (which generates a client and server cert with the same serial number, BTW) and ran the code: I can connect just fine using either openssl 1.0.1e or 1.1.0e

My bet is that when you run your code you are not loading the right ca.crt file ; another way to debug is , is to add a x509 verify callback which prints out each cert as it is passed for verification.

HTH,

JJK



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Viktor Dukhovni
On Tue, Nov 28, 2017 at 10:03:12AM +0000, [hidden email] wrote:

> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
> > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > {
> >     printf("Verification callback OK!\n");
> >     return 1;
> > }
> > ...
> > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);

The above completely disables authentication of the peer certificate,
and makes your application vulnerable to man-in-the-middle attacks.
Perhaps that's OK, but often it is not.

> The problem is that error don't tell much information about what's really
> going on or what's really missing.

When the verification callback is failing, the peer's certificate
chain is either incomplete or is using a trust-anchor (root CA)
that is not configured as trusted on your end.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Jan Just Keijser-2
In reply to this post by wizard2010
Hi,

On 28/11/17 11:03, [hidden email] wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

wizard2010
Hi JJK,

I test you function and I've got this result:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?

Kind regards.


On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 28/11/17 11:03, [hidden email] wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

wizard2010
In reply to this post by Viktor Dukhovni

On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni <[hidden email]> wrote:
On Tue, Nov 28, 2017 at 10:03:12AM +0000, [hidden email] wrote:

> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
> > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > {
> >     printf("Verification callback OK!\n");
> >     return 1;
> > }
> > ...
> > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);

The above completely disables authentication of the peer certificate,
and makes your application vulnerable to man-in-the-middle attacks.
Perhaps that's OK, but often it is not.

Why did you say that code disable the authentication? 
One thing that I didn't understand is what type of verification is made on SSL_CTX_set_verify function. 
And what is supposed/right thing to do on  verify_callback in order to perform the client certificate authentication?
 
Kind regards.


> The problem is that error don't tell much information about what's really
> going on or what's really missing.

When the verification callback is failing, the peer's certificate
chain is either incomplete or is using a trust-anchor (root CA)
that is not configured as trusted on your end.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Viktor Dukhovni
On Wed, Nov 29, 2017 at 01:44:01PM +0000, [hidden email] wrote:

> > > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > > {
> > > >     printf("Verification callback OK!\n");
> > > >     return 1;
> > > > }
> > > > ...
> > > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
> >
> > The above completely disables authentication of the peer certificate,
> > and makes your application vulnerable to man-in-the-middle attacks.
> > Perhaps that's OK, but often it is not.
>
> Why did you say that code disable the authentication?

Because it is true.

Your verification callback overrides all certificate verification
failures by unconditionally returning "1" for success, regardless
of the "ok" value, or the error status in the X509_STORE_CTX.

> One thing that I didn't understand is what type of verification is made on
> SSL_CTX_set_verify function.

Clearly not, so you need to either find some documentation that
makes it clear to you (manpages, examples in other code, a book,
...) or not use that feature.  Calling functions whose meaning
you do not understand is a bad idea, especially in security-related
code.

> And what is supposed/right thing to do on  verify_callback in order to
> perform the client certificate authentication?

The right thing normally is not have a callback at all.  Or always
return the passed-in "ok" value, but log some information about
the certificate chain and any errors reported.

In rare situations you might choose to ignore very specific
error conditions, but getting that right requries a deeper
understanding of the implications.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Viktor Dukhovni
In reply to this post by Jan Just Keijser-2
On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:

> Try adding this to the verify_callback
>
>
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
>     X509           *cert = NULL;
>     char           *cert_DN = NULL;
>
>     printf("ok = %d\n", ok);
>     cert    = X509_STORE_CTX_get_current_cert(ctx);
>     cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
>     printf( "cert DN: %s\n", cert_DN);
>
> }

You've left out the final "return ok;", and there's a new memory
leak.  Closer would be:

     static int verify_callback(int ok, X509_STORE_CTX *ctx)
     {
         X509           *cert = NULL;
         char           *cert_DN = NULL;
     
         printf("ok = %d\n", ok);
         cert    = X509_STORE_CTX_get_current_cert(ctx);
         cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
         printf( "cert DN: %s\n", cert_DN);

         OPENSSL_free(cert_DN);
         return ok;
     }

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

wizard2010


On Wed, Nov 29, 2017 at 1:54 PM, Viktor Dukhovni <[hidden email]> wrote:
On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:

> Try adding this to the verify_callback
>
>
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
>     X509           *cert = NULL;
>     char           *cert_DN = NULL;
>
>     printf("ok = %d\n", ok);
>     cert    = X509_STORE_CTX_get_current_cert(ctx);
>     cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
>     printf( "cert DN: %s\n", cert_DN);
>
> }

You've left out the final "return ok;", and there's a new memory
leak.  Closer would be:

     static int verify_callback(int ok, X509_STORE_CTX *ctx)
     {
         X509           *cert = NULL;
         char           *cert_DN = NULL;

         printf("ok = %d\n", ok);
         cert    = X509_STORE_CTX_get_current_cert(ctx);
         cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
         printf( "cert DN: %s\n", cert_DN);

         OPENSSL_free(cert_DN);
         return ok;
     }


With that code I've got this:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Handshake Error 1

I can't really understand why this is happen since I'm creating the certificates with the right way (at least I guess I'm doing this in the right way).

Thanks for your help.
Kind regards. 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Jan Just Keijser-2
In reply to this post by wizard2010
Hi,

On 29/11/17 14:37, [hidden email] wrote:
Hi JJK,

I test you function and I've got this result:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?


what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 [hidden email]
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly. 
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates.

HTH,

JJK



On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 28/11/17 11:03, [hidden email] wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

wizard2010
Hi ,

Please see in attach the files that I'm using.
I generate the certificates with the following commands:

  1. ## Create CA
  2. openssl genrsa -out ca.key 4096
  3. openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  4. openssl x509 -in ca.crt -out ca.pem -outform PEM

  1. ## Create the Server Key and CSR
  2. openssl genrsa -out server.key 4096
  3. openssl req -new -key server.key -out server.csr
  4. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
  5. openssl x509 -in server.crt -out server.pem -outform PEM

  1. ## Create the Client Key and CSR
  2. openssl genrsa -out client.key 4096
  3. openssl req -new -key client.key -out client.csr
  4. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  5. openssl x509 -in client.crt -out client.pem -outform PEM

I left the default value of each question that openssl ask when it's creating the certificates like Country, City, CN, etc. Like this way:
openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
Thanks.
Kind regards.


On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 29/11/17 14:37, [hidden email] wrote:
Hi JJK,

I test you function and I've got this result:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?


what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 [hidden email]
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly. 
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates.

HTH,

JJK




On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 28/11/17 11:03, [hidden email] wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

ca.crt (2K) Download Attachment
ca.key (4K) Download Attachment
ca.pem (2K) Download Attachment
client.crt (2K) Download Attachment
client.csr (2K) Download Attachment
client.key (4K) Download Attachment
client.pem (2K) Download Attachment
server.crt (2K) Download Attachment
server.csr (2K) Download Attachment
server.key (4K) Download Attachment
server.pem (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Kyle Hamilton
SSL alert number 48 is specified in the documents that define SSL/TLS.
It is the code for "unknown_ca", which means that verification failed
because it didn't get set up with the correct CA to verify against.
You might wish to look up SSL_CTX_load_verify_locations(3).  There may
also be other API calls which can load the context with certificates
to verify against.

You can get a list of the alert numbers from RFC 5246, available from
(among other places) https://www.ietf.org/rfc/rfc5246.txt (also
available as a PDF from https://www.ietf.org/rfc/rfc5246.txt.pdf).

-Kyle H

On Mon, Dec 4, 2017 at 12:10 AM,  <[hidden email]> wrote:

> Hi ,
>
> Please see in attach the files that I'm using.
> I generate the certificates with the following commands:
>
> ## Create CA
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> openssl x509 -in ca.crt -out ca.pem -outform PEM
>
> ## Create the Server Key and CSR
> openssl genrsa -out server.key 4096
> openssl req -new -key server.key -out server.csr
> openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key
> -set_serial 01 -out server.crt
> openssl x509 -in server.crt -out server.pem -outform PEM
>
> ## Create the Client Key and CSR
> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
> -set_serial 01 -out client.crt
> openssl x509 -in client.crt -out client.pem -outform PEM
>
>
> I left the default value of each question that openssl ask when it's
> creating the certificates like Country, City, CN, etc. Like this way:
>>
>> openssl req -new -key server.key -out server.csr
>>
>> You are about to be asked to enter information that will be incorporated
>>
>> into your certificate request.
>>
>> What you are about to enter is what is called a Distinguished Name or a
>> DN.
>>
>> There are quite a few fields but you can leave some blank
>>
>> For some fields there will be a default value,
>>
>> If you enter '.', the field will be left blank.
>>
>> -----
>>
>> Country Name (2 letter code) [AU]:
>>
>> State or Province Name (full name) [Some-State]:
>>
>> Locality Name (eg, city) []:
>>
>> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
>>
>> Organizational Unit Name (eg, section) []:
>>
>> Common Name (e.g. server FQDN or YOUR name) []:
>>
>> Email Address []:
>>
>> Please enter the following 'extra' attributes
>>
>> to be sent with your certificate request
>>
>> A challenge password []:
>>
>> An optional company name []:
>
>
> Thanks.
> Kind regards.
>
>
> On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <[hidden email]> wrote:
>>
>> Hi,
>>
>> On 29/11/17 14:37, [hidden email] wrote:
>>
>> Hi JJK,
>>
>> I test you function and I've got this result:
>>>
>>> ok = 0
>>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>>> ok = 1
>>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>>
>>
>> Why I see this 2 time?
>> When I create the certificates I didn't fill with any special information,
>> just type enter in every question that is made. Did you think this could
>> cause this issue?
>>
>>
>> what you should have seen is the certificate stack, starting with the CA,
>> and then the client cert, e.g.
>>
>> Connection accept...
>> ok = 1
>> cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4
>> CA/emailAddress=[hidden email]
>> ok = 1
>> cert DN: /C=US/O=Cookbook 2.4/CN=client1
>>
>>
>> so I suspect that your ca.crt on the server side is not specified
>> correctly.
>> You may also send me your ca.crt, server.{crt,key} and client.{crt,key}
>> files privately, and I will run the same test using your set of
>> certificates.
>>
>> HTH,
>>
>> JJK
>>
>>
>>
>>
>> On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <[hidden email]>
>> wrote:
>>>
>>> Hi,
>>>
>>> On 28/11/17 11:03, [hidden email] wrote:
>>>
>>> Hi there.
>>>
>>> I guess my problem is really related to verify callback on
>>> SSL_CTX_set_verify function.
>>> I just add to my code a dummy callback returning 1 and everything works
>>> properly.
>>>
>>>>
>>>> int verify_callback (int ok, X509_STORE_CTX *ctx);
>>>> int verify_callback (int ok, X509_STORE_CTX *ctx)
>>>> {
>>>>     printf("Verification callback OK!\n");
>>>>     return 1;
>>>> }
>>>> ...
>>>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>>>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>>>> ...
>>>
>>>
>>> The problem is that error don't tell much information about what's really
>>> going on or what's really missing.
>>> Thanks for your help.
>>>
>>> Now you've effectively disabled all security :)
>>>
>>> Try adding this to the verify_callback
>>>
>>>
>>> static int verify_callback(int ok, X509_STORE_CTX *ctx)
>>> {
>>>     X509           *cert = NULL;
>>>     char           *cert_DN = NULL;
>>>
>>>     printf("ok = %d\n", ok);
>>>     cert    = X509_STORE_CTX_get_current_cert(ctx);
>>>     cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0
>>> );
>>>     printf( "cert DN: %s\n", cert_DN);
>>>
>>> }
>>>
>>>
>>> that way, you will know whether your server is processing the right
>>> certificate chain.
>>>
>>> HTH,
>>>
>>> JJK
>>>
>>
>>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

wizard2010

On Mon, Dec 4, 2017 at 10:27 AM, Kyle Hamilton <[hidden email]> wrote:
SSL alert number 48 is specified in the documents that define SSL/TLS.
It is the code for "unknown_ca", which means that verification failed
because it didn't get set up with the correct CA to verify against.
You might wish to look up SSL_CTX_load_verify_locations(3).  There may
also be other API calls which can load the context with certificates
to verify against.

Ok I understand that, but what could be wrong with the certificates that I generate with the commands that I told in the previous message?

Kind regards.
 

You can get a list of the alert numbers from RFC 5246, available from
(among other places) https://www.ietf.org/rfc/rfc5246.txt (also
available as a PDF from https://www.ietf.org/rfc/rfc5246.txt.pdf).

-Kyle H

On Mon, Dec 4, 2017 at 12:10 AM,  <[hidden email]> wrote:
> Hi ,
>
> Please see in attach the files that I'm using.
> I generate the certificates with the following commands:
>
> ## Create CA
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> openssl x509 -in ca.crt -out ca.pem -outform PEM
>
> ## Create the Server Key and CSR
> openssl genrsa -out server.key 4096
> openssl req -new -key server.key -out server.csr
> openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key
> -set_serial 01 -out server.crt
> openssl x509 -in server.crt -out server.pem -outform PEM
>
> ## Create the Client Key and CSR
> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
> -set_serial 01 -out client.crt
> openssl x509 -in client.crt -out client.pem -outform PEM
>
>
> I left the default value of each question that openssl ask when it's
> creating the certificates like Country, City, CN, etc. Like this way:
>>
>> openssl req -new -key server.key -out server.csr
>>
>> You are about to be asked to enter information that will be incorporated
>>
>> into your certificate request.
>>
>> What you are about to enter is what is called a Distinguished Name or a
>> DN.
>>
>> There are quite a few fields but you can leave some blank
>>
>> For some fields there will be a default value,
>>
>> If you enter '.', the field will be left blank.
>>
>> -----
>>
>> Country Name (2 letter code) [AU]:
>>
>> State or Province Name (full name) [Some-State]:
>>
>> Locality Name (eg, city) []:
>>
>> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
>>
>> Organizational Unit Name (eg, section) []:
>>
>> Common Name (e.g. server FQDN or YOUR name) []:
>>
>> Email Address []:
>>
>> Please enter the following 'extra' attributes
>>
>> to be sent with your certificate request
>>
>> A challenge password []:
>>
>> An optional company name []:
>
>
> Thanks.
> Kind regards.
>
>
> On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <[hidden email]> wrote:
>>
>> Hi,
>>
>> On 29/11/17 14:37, [hidden email] wrote:
>>
>> Hi JJK,
>>
>> I test you function and I've got this result:
>>>
>>> ok = 0
>>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>>> ok = 1
>>> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>>
>>
>> Why I see this 2 time?
>> When I create the certificates I didn't fill with any special information,
>> just type enter in every question that is made. Did you think this could
>> cause this issue?
>>
>>
>> what you should have seen is the certificate stack, starting with the CA,
>> and then the client cert, e.g.
>>
>> Connection accept...
>> ok = 1
>> cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4
>> CA/emailAddress=[hidden email]
>> ok = 1
>> cert DN: /C=US/O=Cookbook 2.4/CN=client1
>>
>>
>> so I suspect that your ca.crt on the server side is not specified
>> correctly.
>> You may also send me your ca.crt, server.{crt,key} and client.{crt,key}
>> files privately, and I will run the same test using your set of
>> certificates.
>>
>> HTH,
>>
>> JJK
>>
>>
>>
>>
>> On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <[hidden email]>
>> wrote:
>>>
>>> Hi,
>>>
>>> On 28/11/17 11:03, [hidden email] wrote:
>>>
>>> Hi there.
>>>
>>> I guess my problem is really related to verify callback on
>>> SSL_CTX_set_verify function.
>>> I just add to my code a dummy callback returning 1 and everything works
>>> properly.
>>>
>>>>
>>>> int verify_callback (int ok, X509_STORE_CTX *ctx);
>>>> int verify_callback (int ok, X509_STORE_CTX *ctx)
>>>> {
>>>>     printf("Verification callback OK!\n");
>>>>     return 1;
>>>> }
>>>> ...
>>>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>>>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>>>> ...
>>>
>>>
>>> The problem is that error don't tell much information about what's really
>>> going on or what's really missing.
>>> Thanks for your help.
>>>
>>> Now you've effectively disabled all security :)
>>>
>>> Try adding this to the verify_callback
>>>
>>>
>>> static int verify_callback(int ok, X509_STORE_CTX *ctx)
>>> {
>>>     X509           *cert = NULL;
>>>     char           *cert_DN = NULL;
>>>
>>>     printf("ok = %d\n", ok);
>>>     cert    = X509_STORE_CTX_get_current_cert(ctx);
>>>     cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0
>>> );
>>>     printf( "cert DN: %s\n", cert_DN);
>>>
>>> }
>>>
>>>
>>> that way, you will know whether your server is processing the right
>>> certificate chain.
>>>
>>> HTH,
>>>
>>> JJK
>>>
>>
>>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 48

Jan Just Keijser-2
In reply to this post by wizard2010
Hi,

On 04/12/17 09:10, [hidden email] wrote:
Hi ,

Please see in attach the files that I'm using.

I've just taken a look at your certificates and they've not been generated correctly:

$ openssl x509 -subject -issuer -noout -in ca.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:52:34 2017 GMT
notAfter=Nov 27 11:52:34 2018 GMT
serial=A1E0F7319AAD90C0

$ openssl x509 -subject -issuer -noout -in client.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:53:16 2017 GMT
notAfter=Nov 27 11:53:16 2018 GMT
serial=01

$ openssl x509 -subject -issuer -noout -in server.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:52:55 2017 GMT
notAfter=Nov 27 11:52:55 2018 GMT
serial=01


that is, the subject and issuer of the CA, server and client certs are all the same ; also, the serial number of both client and server certificates are the same.
You will need to alter the way you generate your certificates so that there is a clear distinction between CA, server and client cert.

HTH,

JJK


I generate the certificates with the following commands:

  1. ## Create CA
  2. openssl genrsa -out ca.key 4096
  3. openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  4. openssl x509 -in ca.crt -out ca.pem -outform PEM

  1. ## Create the Server Key and CSR
  2. openssl genrsa -out server.key 4096
  3. openssl req -new -key server.key -out server.csr
  4. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
  5. openssl x509 -in server.crt -out server.pem -outform PEM

  1. ## Create the Client Key and CSR
  2. openssl genrsa -out client.key 4096
  3. openssl req -new -key client.key -out client.csr
  4. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  5. openssl x509 -in client.crt -out client.pem -outform PEM

I left the default value of each question that openssl ask when it's creating the certificates like Country, City, CN, etc. Like this way:
openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
Thanks.
Kind regards.


On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 29/11/17 14:37, [hidden email] wrote:
Hi JJK,

I test you function and I've got this result:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?


what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 [hidden email]
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly. 
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates.

HTH,

JJK




On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <[hidden email]> wrote:
Hi,

On 28/11/17 11:03, [hidden email] wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK






--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users