[openssl-users] SSL alert number 48
wizard2010 at gmail.com
wizard2010 at gmail.com
Wed Nov 29 13:37:44 UTC 2017
Hi JJK,
I test you function and I've got this result:
> ok = 0
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> ok = 1
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Why I see this 2 time?
When I create the certificates I didn't fill with any special information,
just type enter in every question that is made. Did you think this could
cause this issue?
Kind regards.
On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
> Hi,
>
> On 28/11/17 11:03, wizard2010 at gmail.com wrote:
>
> Hi there.
>
> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
>> int verify_callback (int ok, X509_STORE_CTX *ctx);
>> int verify_callback (int ok, X509_STORE_CTX *ctx)
>> {
>> printf("Verification callback OK!\n");
>> return 1;
>> }
>> ...
>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>> ...
>
>
> The problem is that error don't tell much information about what's really
> going on or what's really missing.
> Thanks for your help.
>
> Now you've effectively disabled all security :)
>
> Try adding this to the verify_callback
>
>
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
> X509 *cert = NULL;
> char *cert_DN = NULL;
>
> printf("ok = %d\n", ok);
> cert = X509_STORE_CTX_get_current_cert(ctx);
> cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
> printf( "cert DN: %s\n", cert_DN);
>
> }
>
>
> that way, you will know whether your server is processing the right
> certificate chain.
>
> HTH,
>
> JJK
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/c3f7c46e/attachment.html>
More information about the openssl-users
mailing list