[openssl-users] [help]SSL_CTX_use_certificate_file failed!

zy_chongqing zy_chongqing at aliyun.com
Tue Sep 13 13:17:47 UTC 2016


Hi,
I have a big problem about the OpenSSL usage, please help. OS: Linux version 3.7.10-1.1-desktop (geeko at buildhost) (gcc version 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 28 15:06:29 UTC 2013 (82d3f21)OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
I create a OpenSSL client for iOS APNs client, the SSL initial function as below:#define CA_CERT_PATH          "./pem"
#define RSA_CLIENT_CERT     "./pem/PushChatCert.pem"
#define RSA_CLIENT_KEY       "./pem/PushChatKey.pem"bool CAPNSClient::InitAPNSClient()
{
    SSL_library_init();
    SSL_load_error_strings();
    ERR_clear_error();
    OpenSSL_add_all_algorithms();
 
    m_pMeth = TLS_client_method();
    m_pCtx = SSL_CTX_new(m_pMeth);
    if(NULL == m_pCtx)
    {
        ERRLOG("Could not get SSL Context");
        return false;
    }

    if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))
    {
        /* Handle failed load here */
        ERRLOG("Failed to set CA location:%s", ERR_error_string( ERR_get_error(), NULL ));
        return false;
    }

    if (0 == SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, SSL_FILETYPE_PEM))
    {
        ERRLOG("Cannot use Certificate File:%s", ERR_error_string( ERR_get_error(), NULL ));
        return false;
    }

    SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"XXXX");

    if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, SSL_FILETYPE_PEM))
    {
        ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), NULL ));
        return false;
    }

    if (0 == SSL_CTX_check_private_key(m_pCtx))
    {
        ERRLOG("Private key does not match the certificate public key");
        return false;
    }

    return true;
}
when the programe run, the SSL_CTX_use_certificate_file failed when load the certificate as attached! the error information is:  error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
as the suggestion from rt at openssl.org last night, I use SSL_CTX_set_security_level(m_pCtx, 0) switch the security level from 1 to 0.  But SSL_CTX_use_certificate_file still failed! the log chang to: error:140BF10C:SSL routines:ssl_set_cert:x509 lib
the weird thing is, this code and pem file work well on another server, which have the security level 1. So I guess the problem come from the ssl config. After searching, I found 2 openssl.cnf files, one on /etc/ssl/, another is on /usr/local/ssl. there only 4 different config between these 2 file:1. default_bits, one is 2048, another is 10242. basicConstraints, one is "critical,CA:true", another is "CA:true"3. signer_digest, one is "sha256", another don't have this parameter4. digests, one is "sha1, sha256, sha384, sha512", another is "md5, sha1"
I already debug this issue for whole day, but still don't have any progress. Please help me, at least guide me how to solve it. 
Thanks a lot!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/21b64519/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PushChatCert.pem
Type: application/octet-stream
Size: 2139 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/21b64519/attachment-0001.obj>


More information about the openssl-users mailing list