problem in TLS in easy_tls demo

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

problem in TLS in easy_tls demo

Pjothi
Dear all,
 
I am new to openSSL and an inexperienced C programmer. After compiling openssl library, I was going through the demos for understanding. In the demo after compilation of easy_tls with few warnings, when I run the server and client, it gets connected and able to write and read. But when I start TLS functionality, then the client says
 
E:unable to get local issuer certificate
/C=DE/CN=TestServer
 
The certificates are expired but are right there in the folder. I would like to know if this error is because the certificate is expired or due to some other problem and if possible, how to solve it. Should I create my own certificates with the same paramaters for solving this or how to solve this problem.
 
Thank you very much and awaiting,
Pjothi
 


 
Reply | Threaded
Open this post in threaded view
|

Re: problem in TLS in easy_tls demo

Bernhard Fröhlich-2
Praveen Jothi wrote:

> Dear all,
>  
> I am new to openSSL and an inexperienced C programmer. After compiling
> openssl library, I was going through the demos for understanding. In
> the demo after compilation of easy_tls with few warnings, when I run
> the server and client, it gets connected and able to write and read.
> But when I start TLS functionality, then the client says
>  
> E:unable to get local issuer certificate
> /C=DE/CN=TestServer
>  
> The certificates are expired but are right there in the folder. I
> would like to know if this error is because the certificate is expired
> or due to some other problem and if possible, how to solve it. Should
> I create my own certificates with the same paramaters for solving this
> or how to solve this problem.
>  
> Thank you very much and awaiting,
> Pjothi
Just a quick answer without looking at the code of easy_tls:

This error message is generated if a certificate needed to verify a
certificate chain is not present (as it states itself). I experienced
this error if a CA's certificate (maybe an intermediate CA) is neither
included in the presented certificate nor present in the CAFile or
CA-Directory (as specified in SSL_CTX_load_verify_locations). Maybe you
should check the call to SSL_CTX_load_verify_locations and the content
of the specified locations.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problem in TLS in easy_tls demo

Pjothi
Dear Bernhard and others,
 
you are right probably. The CA certificate says a different organization. and the client certificate says its issued by a different organization. Unforuntately my experience in C program is not enough to check out or rather edit the C code. I would like to know, if I create my own CA certificate and client certificate with the same names, would it work. Should I also take care of the same algorithms as included in this certificate. kindly help me on this.
 
regards,
Pjothi
München

 
On 1/24/06, Bernhard Froehlich <[hidden email]> wrote:
Praveen Jothi wrote:

> Dear all,
>
> I am new to openSSL and an inexperienced C programmer. After compiling
> openssl library, I was going through the demos for understanding. In
> the demo after compilation of easy_tls with few warnings, when I run
> the server and client, it gets connected and able to write and read.
> But when I start TLS functionality, then the client says
>
> E:unable to get local issuer certificate
> /C=DE/CN=TestServer
>
> The certificates are expired but are right there in the folder. I
> would like to know if this error is because the certificate is expired
> or due to some other problem and if possible, how to solve it. Should
> I create my own certificates with the same paramaters for solving this
> or how to solve this problem.
>
> Thank you very much and awaiting,
> Pjothi

Just a quick answer without looking at the code of easy_tls:

This error message is generated if a certificate needed to verify a
certificate chain is not present (as it states itself). I experienced
this error if a CA's certificate (maybe an intermediate CA) is neither
included in the presented certificate nor present in the CAFile or
CA-Directory (as specified in SSL_CTX_load_verify_locations). Maybe you
should check the call to SSL_CTX_load_verify_locations and the content
of the specified locations.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26






Reply | Threaded
Open this post in threaded view
|

Re: problem in TLS in easy_tls demo

Pjothi

The following is in the demo code.
 
r = SSL_CTX_load_verify_locations(ret,a.ca_file,NULL)
 
I am wondering if NULL is the right parameter to pass through for CA path ?
 
thank you very much.
 
regards,
Pjothi
 
On 1/24/06, Praveen Jothi <[hidden email]> wrote:
Dear Bernhard and others,
 
you are right probably. The CA certificate says a different organization. and the client certificate says its issued by a different organization. Unforuntately my experience in C program is not enough to check out or rather edit the C code. I would like to know, if I create my own CA certificate and client certificate with the same names, would it work. Should I also take care of the same algorithms as included in this certificate. kindly help me on this.
 
regards,
Pjothi
München

 
On 1/24/06, Bernhard Froehlich <[hidden email]> wrote:
Praveen Jothi wrote:

> Dear all,
>
> I am new to openSSL and an inexperienced C programmer. After compiling
> openssl library, I was going through the demos for understanding. In
> the demo after compilation of easy_tls with few warnings, when I run
> the server and client, it gets connected and able to write and read.
> But when I start TLS functionality, then the client says
>
> E:unable to get local issuer certificate
> /C=DE/CN=TestServer
>
> The certificates are expired but are right there in the folder. I
> would like to know if this error is because the certificate is expired
> or due to some other problem and if possible, how to solve it. Should
> I create my own certificates with the same paramaters for solving this
> or how to solve this problem.
>
> Thank you very much and awaiting,
> Pjothi

Just a quick answer without looking at the code of easy_tls:

This error message is generated if a certificate needed to verify a
certificate chain is not present (as it states itself). I experienced
this error if a CA's certificate (maybe an intermediate CA) is neither
included in the presented certificate nor present in the CAFile or
CA-Directory (as specified in SSL_CTX_load_verify_locations). Maybe you
should check the call to SSL_CTX_load_verify_locations and the content
of the specified locations.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.convey.de/ted/tedkey_convey.asc" target="_blank">http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26









--
PRAVEENJOTHI
Masters in Telecommunication Engineering
Darmstadt University of Applied Sciences
Germany

"Knowledge is Power"

"To win...you've got to stay in the game"
Reply | Threaded
Open this post in threaded view
|

Re: problem in TLS in easy_tls demo

Samy Thiyagarajan







The following is in the demo code.

 
r = SSL_CTX_load_verify_locations(ret,a.ca_file,NULL)
 
I am wondering if NULL is the right parameter to pass through for CA path ?
 
--------------------------
hi..
yes the third parameter is the CA path and you can pass NULL..(this is simple) .if you specify the CA path you need to have a hash value.
for detailed info please refer the following link...

http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

Samy






-"

Reply | Threaded
Open this post in threaded view
|

Re: problem in TLS in easy_tls demo

Bernhard Fröhlich-2
In reply to this post by Pjothi
Praveen Jothi wrote:

>
> The following is in the demo code.
>  
> r = SSL_CTX_load_verify_locations(ret,a.ca_file,NULL)
>  
> I am wondering if NULL is the right parameter to pass through for CA
> path ?

Yes, as the comment in my version (0.9.8a) says it just wont use a CA
directory but will put all certs in a single CAFile (which is perfectly
ok). In test.c around line 71 you can see that "cacerts.pem" is used as
a CAFile.

But back to the beginning, now I checked the certificates. openssl x509
-in cert.pem -noout -text gives the following:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Validity
            Not Before: May  1 01:26:35 1999 GMT
            Not After : May 31 01:26:35 1999 GMT
        Subject: C=DE, CN=Testserver
[... and some more ... ]

The only certificate in cacerts.pem is the following (openssl x509 -in
cacerts.pem -noout -text):

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=AU, ST=Queensland, O=CryptSoft Pty Ltd, CN=Test PCA
(1024 bit)
        Validity
            Not Before: Jun  9 13:57:43 1997 GMT
            Not After : Jun  9 13:57:43 2001 GMT
        Subject: C=AU, ST=Queensland, O=CryptSoft Pty Ltd, CN=Test CA
(1024 bit)
[ ... etc ...]

So the issuer od the client cert ("C=AU, ST=Some-State, O=Internet
Widgits Pty Ltd") can not be found in cacerts.pem (the only cert there
is from "C=AU, ST=Queensland, O=CryptSoft Pty Ltd, CN=Test CA (1024
bit)") and so the error message is correct (like always... ;)).

Obviously the certificates in this directory have been messed. If you
generate your own CA, store the CA's self signed certificate in
cacerts.pem and a generated client cert (including the private key) in
cert.pem I guess the application will work.
I'll try to find the time this evening to generate a new (sensible) set
of certificates for inclusion in the distribution.

>  thank you very much.
>  
> regards,
> Pjothi

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment