[openssl-users] SSL alert number 48
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Nov 28 21:11:07 UTC 2017
On Tue, Nov 28, 2017 at 10:03:12AM +0000, wizard2010 at gmail.com wrote:
> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
> > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > {
> > printf("Verification callback OK!\n");
> > return 1;
> > }
> > ...
> > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
The above completely disables authentication of the peer certificate,
and makes your application vulnerable to man-in-the-middle attacks.
Perhaps that's OK, but often it is not.
> The problem is that error don't tell much information about what's really
> going on or what's really missing.
When the verification callback is failing, the peer's certificate
chain is either incomplete or is using a trust-anchor (root CA)
that is not configured as trusted on your end.
--
Viktor.
More information about the openssl-users
mailing list