<div class="__aliyun_email_body_block"><div  style="clear:both;"><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;">Hi,</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"><br ></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;">I have a big problem about the OpenSSL usage, please help. </span></div></div><div  style="clear:both;"><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;line-height:23.3px;">OS: Linux version 3.7.10-1.1-desktop (geeko@buildhost) (gcc version 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 28 15:06:29 UTC 2013 (82d3f21)</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;line-height:23.3px;">OpenSSL version: OpenSSL 1.1.0  25 Aug 2016</span></div><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"><br ></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;">I create a OpenSSL client for iOS APNs client, the SSL initial function as below:</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;">#define CA_CERT_PATH          "./pem"</span><br  style="color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:23.3px;orphans:auto;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:1;word-spacing:.0px;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;">#define RSA_CLIENT_CERT     "./pem/PushChatCert.pem"</span><br  style="color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:23.3px;orphans:auto;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:1;word-spacing:.0px;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;">#define RSA_CLIENT_KEY       "./pem/PushChatKey.pem"</span></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;">bool CAPNSClient::InitAPNSClient()<br >{<br >    SSL_library_init();<br >    SSL_load_error_strings();<br >    ERR_clear_error();<br >    OpenSSL_add_all_algorithms();<br > <br >    m_pMeth = TLS_client_method();</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"><br >    m_pCtx = SSL_CTX_new(m_pMeth);<br >    if(NULL == m_pCtx)<br >    {<br >        ERRLOG("Could not get SSL Context");<br >        return false;<br >    }<br ><br >    if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))<br >    {<br >        /* Handle failed load here */<br >        ERRLOG("Failed to set CA location:%s", ERR_error_string( ERR_get_error(), NULL ));<br >        return false;<br >    }<br ><br >    if (0 == <span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#ff0000;">SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, SSL_FILETYPE_PEM))</span><br >    {<br >        ERRLOG("Cannot use Certificate File:%s", ERR_error_string( ERR_get_error(), NULL ));<br >        return false;<br >    }<br ><br >    SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"XXXX");<br ><br >    if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, SSL_FILETYPE_PEM))<br >    {<br >        ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), NULL ));<br >        return false;<br >    }<br ><br >    if (0 == SSL_CTX_check_private_key(m_pCtx))<br >    {<br >        ERRLOG("Private key does not match the certificate public key");<br >        return false;<br >    }<br ><br >    return true;<br >}</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"><br ></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;">when the programe run, the SSL_CTX_use_certificate_file failed when load the certificate as attached! the error information is: <span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#ff0000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;"> error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small</span></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#ff0000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;color:#000000;display:inline;background-color:#ffffff;"><br ></span></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#ff0000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;color:#000000;display:inline;background-color:#ffffff;">as the suggestion from rt@openssl.org last night, I use SSL_CTX_set_security_level(m_pCtx, 0) switch the security level from 1 to 0.  But SSL_CTX_use_certificate_file still failed! the log chang to: <span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#ff0000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;">error:140BF10C:SSL routines:ssl_set_cert:x509 lib</span></span></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#ff0000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;color:#000000;display:inline;background-color:#ffffff;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#ff0000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;"><br ></span></span></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;">the weird thing is, this code and pem file work well on another server, which have the security level 1. So I guess the problem come from the ssl config. After searching, I found 2 openssl.cnf files, one on /etc/ssl/, another is on /usr/local/ssl. there only 4 different config between these 2 file:</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;">1. default_bits, one is 2048, another is 1024</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;">2. basicConstraints, one is "critical,CA:true", another is "CA:true"</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;">3. signer_digest, one is "sha256", another don't have this parameter</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;">4. digests, one is "sha1, sha256, sha384, sha512", another is "md5, sha1"</span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;"><br ></span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><span  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;float:none;display:inline;background-color:#ffffff;">I already debug this issue for whole day, but still don't have any progress. Please help me, at least guide me how to solve it. </span></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;"><br ></div><div  style="margin:.0px;padding:.0px;border:.0px;outline:.0px;color:#000000;font-family:Tahoma,Arial;font-size:14.0px;font-style:normal;font-variant:normal;font-weight:normal;line-height:23.3px;text-align:start;text-indent:.0px;text-transform:none;widows:1;clear:both;">Thanks a lot!</div><span  style="font-family:Tahoma,Arial,STHeiti,SimSun;font-size:14.0px;color:#000000;"><br ></span></div></div>