[openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

zy_chongqing via RT rt at openssl.org
Mon Sep 12 20:08:10 UTC 2016 

Hello,
I have a function to initial the CTX as below:
#define CA_CERT_PATH          "./pem"
#define RSA_CLIENT_CERT     "./pem/PushChatCert.pem"
#define RSA_CLIENT_KEY       "./pem/PushChatKey.pem"
bool CAPNSClient::InitCTX()
{
    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
 
    m_pMeth = TLS_client_method();
    m_pCtx = SSL_CTX_new(m_pMeth);
    if(NULL == m_pCtx)
    {
        ERRLOG("Could not get SSL Context");
        return false;
    }

    if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))
    {
        ERRLOG("Failed to set CA location:%s", ERR_error_string( ERR_get_error(), NULL ));
        return false;
    }

    if (0 == SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, SSL_FILETYPE_PEM))
    {
        ERRLOG("Cannot use Certificate File:%s", ERR_error_string( ERR_get_error(), NULL ));
        return false;
    }

    SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"Memo_Server");
 
    if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, SSL_FILETYPE_PEM))
    {
        ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), NULL ));
        return false;
    }

    /* Check if the client certificate and private-key matches 验证私钥是否与证书一致*/
    if (0 == SSL_CTX_check_private_key(m_pCtx))
    {
        ERRLOG("Private key does not match the certificate public key");
        return false;
    }

    return true;
}
SSL_CTX_use_certificate_file return 0, and the log show: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
1. this programe is running well in one server, but failed in another. actually these 2 servers is mirrow relationship. 2. I checked the pem file (as attached), also is same on two servers3. I checked the error reason, but cannot find any description about it in the website.I am almost crazy for this issue, would you help to check what's the reason of this error for me? thanks a lot!
my OS: Linux version 3.7.10-1.1-desktop (geeko at buildhost) (gcc version 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 28 15:06:29 UTC 2013 (82d3f21)OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
thanks & Regards!
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4673
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PushChatCert.pem
Type: application/octet-stream
Size: 2139 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160912/45c145be/attachment.obj>

More information about the openssl-dev mailing list