<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks Matthew.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However the problem seems to be occurring before the processing of the return codes you mentioned.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The problem occurs from a bad return value from:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> if(SSL_connect(ssl) <= 0)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> int_error("Error connecting SSL object");<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">A Wireshark trace reveals that the client shuts down the handshake connection with the reason ‘Unknown CA’.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So if the client knows that the cert is self-signed as indicated by the debug logs, why would it issue the above reason for failure when it doesn’t need to
know the CA?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Carl
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openssl-users [mailto:openssl-users-bounces@openssl.org]
<b>On Behalf Of </b>Matthew Donald<br>
<b>Sent:</b> July-01-16 12:09 AM<br>
<b>To:</b> openssl-users@openssl.org<br>
<b>Subject:</b> [Newsletter] Re: [openssl-users] self-signed certificate won't work in my app but works with s_client<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">"error 18:self signed certificate" is the expected result if you are validating a self-signed cert.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In certificate verification, the code needs to check for X509_V_OK, X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">X509_V_OK is a normal cert verification and the connection can proceed. X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY indicates that an otherwise valid cert has been processed, but the issuer is unknown. X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
indicates that a self-signed cert was read. Any other return value is a fatal error (signature failure etc).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Matthew<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 1 July 2016 at 05:34, Carl Heyendal <<a href="mailto:cheyendal@fortinet.com" target="_blank">cheyendal@fortinet.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">I am working with the example apps in the "Networking Security with OpenSSL" book and up until now have been able to get client/server examples 1,2,3 to work. But now I'm trying to connect to an in-house tool but I'm getting the error "error
18:self signed certificate". Despite this error when I run my app (essentially client3), when I use s_client with the very same credentials...it works.<br>
<br>
I suspect that it has something to do with the ssl/tls api combination that I use in my 'client3' app.<br>
<br>
Here's the command and output for s_client that connects to the in-house tool which works:<br>
<br>
> openssl s_client -connect <a href="http://192.168.1.99:16001" target="_blank">
192.168.1.99:16001</a> -CAfile ../_security/SipInspector/certificate.pem -key ../_security/client.pem<br>
Enter pass phrase for ../_security/client.pem:<br>
CONNECTED(00000003)<br>
depth=0 C = CA, ST = Ontario, L = Ottawa, O = SIP Inspector Ltd, OU = Development, CN = 192.168.1.99<br>
verify return:1<br>
---<br>
Certificate chain<br>
0 s:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99<br>
i:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
MIIFxTCCA62gAwIBAgIJALKQ3J5SEyjPMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV<br>
BAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExGjAYBgNV<br>
(snip)<br>
pt/q5/gKqRFbjyL0LDNz49vaSUYvbu3mgF2480Or4X+GPwemwdxJaF1pQw4C1WaF<br>
RyfVjDrLNhTvv+zKCbEPyrjXCweNVRVcp8lZ8R0HmXwfgevlCNz/GQo=<br>
-----END CERTIFICATE-----<br>
subject=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99<br>
issuer=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 2309 bytes and written 509 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA<br>
Server public key is 4096 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : ECDHE-RSA-DES-CBC3-SHA<br>
Session-ID: 5755C781D91CF3177DF624EA3599EE430DAB4790F325FAD9378FEAE7731C4497<br>
Session-ID-ctx:<br>
Master-Key: D149008E43E29D658D29418C9F770B3D6018B1D7CA2F493027B0AC7C3BA8E53B572B68C371153568B8988A1E5F351839<br>
Key-Arg : None<br>
PSK identity: None<br>
PSK identity hint: None<br>
SRP username: None<br>
Start Time: 1465239425<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)<br>
---<br>
<br>
<br>
Here's the command and output when I run my app that tries to connect to the same in-house tool which fails:<br>
<br>
> ./client3 192.168.1.99<br>
Enter PEM pass phrase:<br>
connecting to <a href="http://192.168.1.99:16001" target="_blank">192.168.1.99:16001</a><br>
-Error with certificate at depth: 0<br>
issuer = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development /CN=192.168.1.99<br>
subject = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99<br>
err 18:self signed certificate<br>
** client3.c:94 Error connecting SSL object<br>
139788992993088:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1180:<br>
><br>
<br>
Here are the api's I call in the my app that utilize the same credentials used by the s_client command:<br>
<br>
SSL_CTX_new(SSLv23_method());<br>
SSL_CTX_load_verify_locations(ctx, "../_security/SipInspector/certificate.pem", NULL)<br>
SSL_CTX_use_PrivateKey_file(ctx, "../_security/client.pem", SSL_FILETYPE_PEM)<br>
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);<br>
SSL_CTX_set_verify_depth(ctx, 4);<br>
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);<br>
<br>
And also I used the openssl verify command to double check the certificate against itself (not sure if this really does anything).<br>
<br>
Any help would be appreciated.<br>
<br>
<br>
<br>
Carl Heyendal | Software Developer<br>
1826 Robertson Road | Ottawa, ON K2H 5Z6 | CANADA<br>
Office: +1 613-725-2980 x149<br>
<br>
<br>
<br>
<br>
<br>
*** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any
review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies,
whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not
binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***<br>
<span style="color:#888888"><br>
<br>
<span class="hoenzb">--</span><br>
<span class="hoenzb">openssl-users mailing list</span><br>
<span class="hoenzb">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" target="_blank">
https://mta.openssl.org/mailman/listinfo/openssl-users</a></span></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<html><div><br></div></html>
<font bgcolor="#ffffff" color="#000000"><b><BR><HR>
*** Please note that this message and any attachments may contain confidential
and proprietary material and information and are intended only for the use of
the intended recipient(s). If you are not the intended recipient, you are hereby
notified that any review, use, disclosure, dissemination, distribution or copying
of this message and any attachments is strictly prohibited. If you have received
this email in error, please immediately notify the sender and destroy this e-mail
and any attachments and all copies, whether electronic or printed.
Please also note that any views, opinions, conclusions or commitments expressed
in this message are those of the individual sender and do not necessarily reflect
the views of Fortinet, Inc., its affiliates, and emails are not binding on
Fortinet and only a writing manually signed by Fortinet's General Counsel can be
a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***
<BR><HR></b></font>
</body>
</html>