[openssl-users] [help]SSL_CTX_use_certificate_file failed!
Matt Caswell
matt at openssl.org
Tue Sep 13 14:06:44 UTC 2016
Comments inserted...
On 13/09/16 14:17, zy_chongqing wrote:
> Hi,
>
> I have a big problem about the OpenSSL usage, please help.
> OS: Linux version 3.7.10-1.1-desktop (geeko at buildhost) (gcc version 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 28 15:06:29 UTC 2013 (82d3f21)
> OpenSSL version: OpenSSL 1.1.0 25 Aug 2016
>
> I create a OpenSSL client for iOS APNs client, the SSL initial function
> as below:
> #define CA_CERT_PATH "./pem"
> #define RSA_CLIENT_CERT "./pem/PushChatCert.pem"
> #define RSA_CLIENT_KEY "./pem/PushChatKey.pem"
> bool CAPNSClient::InitAPNSClient()
> {
> SSL_library_init();
> SSL_load_error_strings();
> ERR_clear_error();
> OpenSSL_add_all_algorithms();
None of the above 4 function calls are required in OpenSSL 1.1.0. They
can be removed. That's not your problem though...
>
> m_pMeth = TLS_client_method();
>
> m_pCtx = SSL_CTX_new(m_pMeth);
> if(NULL == m_pCtx)
> {
> ERRLOG("Could not get SSL Context");
> return false;
> }
>
> if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))
> {
> /* Handle failed load here */
> ERRLOG("Failed to set CA location:%s", ERR_error_string( ERR_get_error(), NULL ));
> return false;
> }
>
> if (0 == SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, SSL_FILETYPE_PEM))
> {
> ERRLOG("Cannot use Certificate File:%s", ERR_error_string( ERR_get_error(), NULL ));
> return false;
> }
>
> SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"XXXX");
>
> if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, SSL_FILETYPE_PEM))
> {
> ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), NULL ));
> return false;
> }
>
> if (0 == SSL_CTX_check_private_key(m_pCtx))
> {
> ERRLOG("Private key does not match the certificate public key");
> return false;
> }
>
> return true;
> }
>
> when the programe run, the SSL_CTX_use_certificate_file failed when load
> the certificate as attached! the error information
> is: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
>
> as the suggestion from rt at openssl.org last night, I
> use SSL_CTX_set_security_level(m_pCtx, 0) switch the security level from
> 1 to 0. But SSL_CTX_use_certificate_file still failed! the log chang
> to: error:140BF10C:SSL routines:ssl_set_cert:x509 lib
As far as I can determine from the errors you are seeing,
SSL_CTX_use_certificate_file() has successfully read the certificate
file and returned a non NULL X509 object (otherwise you would have seen
a different error).
Once SSL_CTX_use_certificate_file() has got an X509 object it then calls
SSL_CTX_use_certificate().
This calls an internal function ssl_security_cert(), which in turn calls
ssl_security_cert_key(), which calls X509_get0_pubkey() on the supplied
X509 object. *If this returns NULL* then an internal variable secbits
which represents the number of security bits in the public key is set to
-1. Subsequently various calls take place and if the number of security
bits is too small (which presumably -1 is) then you get the "ee key too
small" error.
By setting the security level to 0, the above is avoided and processing
gets further. SSL_CTX_use_certificate() next calls an internal function
ssl_set_cert().
The first thing ssl_set_cert() does is call X509_get0_pubkey() again. If
this return NULL then you get the "x509 lib" error.
Therefore, I believe there is a problem with the X509_get0_pubkey()
call, such that it is always returning NULL for your particular
certificate. The question is why? Are you able to share the certificate
file? Are there any other errors on the error queue besides these ones?
There are a few different things that could cause this and a number of
them would add additional errors to the error queue.
Matt
More information about the openssl-users
mailing list