<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 29/11/17 14:37, <a class="moz-txt-link-abbreviated" href="mailto:wizard2010@gmail.com">wizard2010@gmail.com</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAEAeT_gR0uxN3fGgZKo3J7NuGPY-5zW_nD7qquhMAykinrnJLg@mail.gmail.com">
<div dir="ltr">Hi JJK,
<div><br>
</div>
<div>I test you function and I've got this result:</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">ok = 0<br>
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
ok = 1<br>
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd</blockquote>
</div>
<div><br>
</div>
<div>Why I see this 2 time?</div>
<div>When I create the certificates I didn't fill with any
special information, just type enter in every question that is
made. Did you think this could cause this issue?</div>
<div><br>
</div>
</div>
</blockquote>
<br>
what you should have seen is the certificate stack, starting with
the CA, and then the client cert, e.g.<br>
<br>
Connection accept...<br>
ok = 1<br>
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4
<a class="moz-txt-link-abbreviated" href="mailto:CA/emailAddress=openvpn@example.com">CA/emailAddress=openvpn@example.com</a><br>
ok = 1<br>
cert DN: /C=US/O=Cookbook 2.4/CN=client1<br>
<br>
<br>
so I suspect that your ca.crt on the server side is not specified
correctly. <br>
You may also send me your ca.crt, server.{crt,key} and
client.{crt,key} files privately, and I will run the same test using
your set of certificates.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CAEAeT_gR0uxN3fGgZKo3J7NuGPY-5zW_nD7qquhMAykinrnJLg@mail.gmail.com">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Nov 29, 2017 at 8:56 AM, Jan
Just Keijser <span dir="ltr"><<a
href="mailto:janjust@nikhef.nl" target="_blank"
moz-do-not-send="true">janjust@nikhef.nl</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-2945823362963703202moz-cite-prefix">Hi,<span
class=""><br>
<br>
On 28/11/17 11:03, <a
class="m_-2945823362963703202moz-txt-link-abbreviated"
href="mailto:wizard2010@gmail.com" target="_blank"
moz-do-not-send="true">wizard2010@gmail.com</a>
wrote:<br>
</span></div>
<blockquote type="cite">
<div dir="ltr">Hi there.
<div><br>
</div>
<span class="">
<div>I guess my problem is really related to <span
style="font-size:12.8px">verify callback
on SSL_CTX_set_verify function.</span></div>
<div><span style="font-size:12.8px">I just add to my
code a dummy callback returning 1 and everything
works properly.</span><span
style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div>
<blockquote style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"
class="gmail_quote"><span
style="font-size:12.8px"><br>
</span><span style="font-size:12.8px">int
verify_callback (int ok, X509_STORE_CTX *ctx);</span><br>
<span style="font-size:12.8px">int
verify_callback (int ok, X509_STORE_CTX *ctx)<br>
</span><span style="font-size:12.8px">{<br>
</span><span style="font-size:12.8px">
printf("Verification callback OK!\n");<br>
</span><span style="font-size:12.8px"> return
1;<br>
</span><span style="font-size:12.8px">}</span><span
style="font-size:12.8px"><br>
</span>...<br>
<span style="font-size:12.8px">SSL_CTX_set_verify(ssl_server_<wbr>ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_<wbr>CERT,
dtls_verify_callback);<br>
</span>...</blockquote>
</div>
<div style="font-size:12.8px"><br>
</div>
<div>The problem is that error don't tell much
information about what's really going on or what's
really missing.</div>
<div>Thanks for your help.</div>
<div><br>
</div>
</span></div>
</blockquote>
Now you've effectively disabled all security :)<br>
<br>
Try adding this to the verify_callback<br>
<br>
<br>
static int verify_callback(int ok, X509_STORE_CTX *ctx)<br>
{<br>
X509 *cert = NULL;<br>
char *cert_DN = NULL;<br>
<br>
printf("ok = %d\n", ok);<br>
cert = X509_STORE_CTX_get_current_<wbr>cert(ctx);<br>
cert_DN = X509_NAME_oneline( X509_get_subject_name(
cert ), NULL, 0 ); <br>
printf( "cert DN: %s\n", cert_DN);<br>
<br>
} <br>
<br>
<br>
that way, you will know whether your server is processing
the right certificate chain.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>