[openssl-users] SSL alert number 48

Jan Just Keijser janjust at nikhef.nl
Thu Nov 30 14:45:26 UTC 2017 

Hi,

On 29/11/17 14:37, wizard2010 at gmail.com wrote:
> Hi JJK,
>
> I test you function and I've got this result:
>
>     ok = 0
>     cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>     ok = 1
>     cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
>
>
> Why I see this 2 time?
> When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did 
> you think this could cause this issue?
>

what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn at example.com
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly.
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your 
set of certificates.

HTH,

JJK


>
> On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janjust at nikhef.nl <mailto:janjust at nikhef.nl>> wrote:
>
>     Hi,
>
>     On 28/11/17 11:03, wizard2010 at gmail.com <mailto:wizard2010 at gmail.com> wrote:
>>     Hi there.
>>
>>     I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
>>     I just add to my code a dummy callback returning 1 and everything works properly.
>>
>>
>>         int verify_callback (int ok, X509_STORE_CTX *ctx);
>>         int verify_callback (int ok, X509_STORE_CTX *ctx)
>>         {
>>         printf("Verification callback OK!\n");
>>             return 1;
>>         }
>>         ...
>>         SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>>         ...
>>
>>
>>     The problem is that error don't tell much information about what's really going on or what's really missing.
>>     Thanks for your help.
>>
>     Now you've effectively disabled all security :)
>
>     Try adding this to the verify_callback
>
>
>     static int verify_callback(int ok, X509_STORE_CTX *ctx)
>     {
>         X509           *cert = NULL;
>         char           *cert_DN = NULL;
>
>         printf("ok = %d\n", ok);
>         cert    = X509_STORE_CTX_get_current_cert(ctx);
>         cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
>         printf( "cert DN: %s\n", cert_DN);
>
>     }
>
>
>     that way, you will know whether your server is processing the right certificate chain.
>
>     HTH,
>
>     JJK
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171130/f5bffecb/attachment.html>

More information about the openssl-users mailing list