[openssl-users] SSL alert number 48
wizard2010 at gmail.com
wizard2010 at gmail.com
Wed Nov 29 13:44:01 UTC 2017
On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:
> On Tue, Nov 28, 2017 at 10:03:12AM +0000, wizard2010 at gmail.com wrote:
>
> > I guess my problem is really related to verify callback
> > on SSL_CTX_set_verify function.
> > I just add to my code a dummy callback returning 1 and everything works
> > properly.
> >
> >
> > > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > {
> > > printf("Verification callback OK!\n");
> > > return 1;
> > > }
> > > ...
> > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>
> The above completely disables authentication of the peer certificate,
> and makes your application vulnerable to man-in-the-middle attacks.
> Perhaps that's OK, but often it is not.
>
Why did you say that code disable the authentication?
One thing that I didn't understand is what type of verification is made on
SSL_CTX_set_verify function.
And what is supposed/right thing to do on verify_callback in order to
perform the client certificate authentication?
Kind regards.
> > The problem is that error don't tell much information about what's really
> > going on or what's really missing.
>
> When the verification callback is failing, the peer's certificate
> chain is either incomplete or is using a trust-anchor (root CA)
> that is not configured as trusted on your end.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/44b59740/attachment.html>
More information about the openssl-users
mailing list