[openssl-users] SSL alert number 48

Jan Just Keijser janjust at nikhef.nl
Thu Dec 7 11:24:07 UTC 2017 

Hi,

On 04/12/17 09:10, wizard2010 at gmail.com wrote:
> Hi ,
>
> Please see in attach the files that I'm using.

I've just taken a look at your certificates and they've not been 
generated correctly:

$ openssl x509 -subject -issuer -noout -in ca.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:52:34 2017 GMT
notAfter=Nov 27 11:52:34 2018 GMT
serial=A1E0F7319AAD90C0

$ openssl x509 -subject -issuer -noout -in client.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:53:16 2017 GMT
notAfter=Nov 27 11:53:16 2018 GMT
serial=01

$ openssl x509 -subject -issuer -noout -in server.crt -dates -serial
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
notBefore=Nov 27 11:52:55 2017 GMT
notAfter=Nov 27 11:52:55 2018 GMT
serial=01


that is, the subject and issuer of the CA, server and client certs are 
all the same ; also, the serial number of both client and server 
certificates are the same.
You will need to alter the way you generate your certificates so that 
there is a clear distinction between CA, server and client cert.

HTH,

JJK


> I generate the certificates with the following commands:
>
> 1.
>     ## Create CA
> 2.
>     openssl genrsa -out ca.key 4096
> 3.
>     openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> 4.
>     openssl x509 -in ca.crt -out ca.pem -outform PEM
> 5.
>
> 1.
>     ## Create the Server Key and CSR
> 2.
>     openssl genrsa -out server.key 4096
> 3.
>     openssl req -new -key server.key -out server.csr
> 4.
>     openssl x509 -req -days 365 -in server.csr -CA ca.crt
>     -CAkey ca.key -set_serial 01 -out server.crt
> 5.
>     openssl x509 -in server.crt -out server.pem -outform PEM
> 6.
>
> 1.
>     ## Create the Client Key and CSR
> 2.
>     openssl genrsa -out client.key 4096
> 3.
>     openssl req -new -key client.key -out client.csr
> 4.
>     openssl x509 -req -days 365 -in client.csr -CA ca.crt
>     -CAkey ca.key -set_serial 01 -out client.crt
> 5.
>     openssl x509 -in client.crt -out client.pem -outform PEM
>
>
> I left the default value of each question that openssl ask when it's 
> creating the certificates like Country, City, CN, etc. Like this way:
>
>         openssl req -new -key server.key -out server.csr
>
>         You are about to be asked to enter information that will be
>         incorporated
>
>         into your certificate request.
>
>         What you are about to enter is what is called a Distinguished
>         Name or a DN.
>
>         There are quite a few fields but you can leave some blank
>
>         For some fields there will be a default value,
>
>         If you enter '.', the field will be left blank.
>
>         -----
>
>         Country Name (2 letter code) [AU]:
>
>         State or Province Name (full name) [Some-State]:
>
>         Locality Name (eg, city) []:
>
>         Organization Name (eg, company) [Internet Widgits Pty Ltd]:
>
>         Organizational Unit Name (eg, section) []:
>
>         Common Name (e.g. server FQDN or YOUR name) []:
>
>         Email Address []:
>
>         Please enter the following 'extra' attributes
>
>         to be sent with your certificate request
>
>         A challenge password []:
>
>         An optional company name []:
>
> Thanks.
> Kind regards.
>
>
> On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <janjust at nikhef.nl 
> <mailto:janjust at nikhef.nl>> wrote:
>
>     Hi,
>
>     On 29/11/17 14:37, wizard2010 at gmail.com
>     <mailto:wizard2010 at gmail.com> wrote:
>>     Hi JJK,
>>
>>     I test you function and I've got this result:
>>
>>         ok = 0
>>         cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>>         ok = 1
>>         cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>>
>>
>>     Why I see this 2 time?
>>     When I create the certificates I didn't fill with any special
>>     information, just type enter in every question that is made. Did
>>     you think this could cause this issue?
>>
>
>     what you should have seen is the certificate stack, starting with
>     the CA, and then the client cert, e.g.
>
>     Connection accept...
>     ok = 1
>     cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4
>     CA/emailAddress=openvpn at example.com
>     <mailto:CA/emailAddress=openvpn at example.com>
>     ok = 1
>     cert DN: /C=US/O=Cookbook 2.4/CN=client1
>
>
>     so I suspect that your ca.crt on the server side is not specified
>     correctly.
>     You may also send me your ca.crt, server.{crt,key} and
>     client.{crt,key} files privately, and I will run the same test
>     using your set of certificates.
>
>     HTH,
>
>     JJK
>
>
>
>>
>>     On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser
>>     <janjust at nikhef.nl <mailto:janjust at nikhef.nl>> wrote:
>>
>>         Hi,
>>
>>         On 28/11/17 11:03, wizard2010 at gmail.com
>>         <mailto:wizard2010 at gmail.com> wrote:
>>>         Hi there.
>>>
>>>         I guess my problem is really related to verify callback
>>>         on SSL_CTX_set_verify function.
>>>         I just add to my code a dummy callback returning 1 and
>>>         everything works properly.
>>>
>>>
>>>             int verify_callback (int ok, X509_STORE_CTX *ctx);
>>>             int verify_callback (int ok, X509_STORE_CTX *ctx)
>>>             {
>>>             printf("Verification callback OK!\n");
>>>             return 1;
>>>             }
>>>             ...
>>>             SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>>>             SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>>>             ...
>>>
>>>
>>>         The problem is that error don't tell much information about
>>>         what's really going on or what's really missing.
>>>         Thanks for your help.
>>>
>>         Now you've effectively disabled all security :)
>>
>>         Try adding this to the verify_callback
>>
>>
>>         static int verify_callback(int ok, X509_STORE_CTX *ctx)
>>         {
>>             X509           *cert = NULL;
>>             char           *cert_DN = NULL;
>>
>>             printf("ok = %d\n", ok);
>>             cert    = X509_STORE_CTX_get_current_cert(ctx);
>>             cert_DN = X509_NAME_oneline( X509_get_subject_name( cert
>>         ), NULL, 0 );
>>             printf( "cert DN: %s\n", cert_DN);
>>
>>         }
>>
>>
>>         that way, you will know whether your server is processing the
>>         right certificate chain.
>>
>>         HTH,
>>
>>         JJK
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171207/0786ac1c/attachment-0001.html>

More information about the openssl-users mailing list