[openssl-users] 回复: [help]SSL_CTX_use_certificate_file failed!

zy_chongqing zy_chongqing at aliyun.com
Tue Sep 13 14:53:57 UTC 2016

Hi Matt,
thanks for your reply. please kindly find the attached to get the certificate.
actually after i set the security level to 0, some times the result is to get the error code you read before, but some times the programe will crash directly. I checked the stack information as below:
[2016-09-13 11:52:03][crash signal number:11]
0 ./MemoSrv() [0x808031e]
1 linux-gate.so.1(__kernel_sigreturn+0) [0xb7734400]
2 /lib/libpthread.so.0(pthread_rwlock_wrlock+0xf) [0xb74f45ff]
3 ./MemoSrv(CRYPTO_THREAD_write_lock+0x1b) [0x81783cb]
4 ./MemoSrv(X509_check_purpose+0x66) [0x8237756]
5 ./MemoSrv(X509_get_extension_flags+0x2c) [0x823794c]
6 /usr/local/lib/libssl.so.1.1(+0x4dd65) [0xb76a2d65]
7 /usr/local/lib/libssl.so.1.1(SSL_CTX_use_certificate+0x41) [0xb76853c1]
8 /usr/local/lib/libssl.so.1.1(SSL_CTX_use_certificate_file+0xed) [0xb768553d]
9 ./MemoSrv() [0x80bc93b]
10 ./MemoSrv() [0x80bd32a]
11 ./MemoSrv() [0x8088dc2]
12 ./MemoSrv() [0x80805e8]
13 /lib/libc.so.6(__libc_start_main+0xf3) [0xb738a6e3]
14 ./MemoSrv() [0x808010d]
If you need additional information or operation, please let me know.thanks!------------------------------------------------------------------发件人:Matt Caswell <matt at openssl.org>发送时间:2016年9月13日(星期二) 22:07收件人:openssl-users <openssl-users at openssl.org>主 题:Re: [openssl-users] [help]SSL_CTX_use_certificate_file failed!
Comments inserted...

On 13/09/16 14:17, zy_chongqing wrote:
> Hi,
> I have a big problem about the OpenSSL usage, please help.
> OS: Linux version 3.7.10-1.1-desktop (geeko at buildhost) (gcc version 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux) ) #1 SMP PREEMPT Thu Feb 28 15:06:29 UTC 2013 (82d3f21)
> OpenSSL version: OpenSSL 1.1.0  25 Aug 2016
> I create a OpenSSL client for iOS APNs client, the SSL initial function
> as below:
> #define CA_CERT_PATH          "./pem"
> #define RSA_CLIENT_CERT     "./pem/PushChatCert.pem"
> #define RSA_CLIENT_KEY       "./pem/PushChatKey.pem"
> bool CAPNSClient::InitAPNSClient()
> {
>     SSL_library_init();
>     SSL_load_error_strings();
>     ERR_clear_error();
>     OpenSSL_add_all_algorithms();

None of the above 4 function calls are required in OpenSSL 1.1.0. They
can be removed. That's not your problem though...

>     m_pMeth = TLS_client_method();
>     m_pCtx = SSL_CTX_new(m_pMeth);
>     if(NULL == m_pCtx)
>     {
>         ERRLOG("Could not get SSL Context");
>         return false;
>     }
>     if(0 == SSL_CTX_load_verify_locations(m_pCtx, NULL, CA_CERT_PATH))
>     {
>         /* Handle failed load here */
>         ERRLOG("Failed to set CA location:%s", ERR_error_string( ERR_get_error(), NULL ));
>         return false;
>     }
>     if (0 == SSL_CTX_use_certificate_file(m_pCtx, RSA_CLIENT_CERT, SSL_FILETYPE_PEM))
>     {
>         ERRLOG("Cannot use Certificate File:%s", ERR_error_string( ERR_get_error(), NULL ));
>         return false;
>     }
>     SSL_CTX_set_default_passwd_cb_userdata(m_pCtx, (void*)"XXXX");
>     if (0 == SSL_CTX_use_PrivateKey_file(m_pCtx, RSA_CLIENT_KEY, SSL_FILETYPE_PEM))
>     {
>         ERRLOG("Cannot use Private Key:%s", ERR_error_string( ERR_get_error(), NULL ));
>         return false;
>     }
>     if (0 == SSL_CTX_check_private_key(m_pCtx))
>     {
>         ERRLOG("Private key does not match the certificate public key");
>         return false;
>     }
>     return true;
> }
> when the programe run, the SSL_CTX_use_certificate_file failed when load
> the certificate as attached! the error information
> is:  error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
> as the suggestion from rt at openssl.org last night, I
> use SSL_CTX_set_security_level(m_pCtx, 0) switch the security level from
> 1 to 0.  But SSL_CTX_use_certificate_file still failed! the log chang
> to: error:140BF10C:SSL routines:ssl_set_cert:x509 lib

As far as I can determine from the errors you are seeing,
SSL_CTX_use_certificate_file() has successfully read the certificate
file and returned a non NULL X509 object (otherwise you would have seen
a different error).

Once SSL_CTX_use_certificate_file() has got an X509 object it then calls

This calls an internal function ssl_security_cert(), which in turn calls
ssl_security_cert_key(), which calls X509_get0_pubkey() on the supplied
X509 object. *If this returns NULL* then an internal variable secbits
which represents the number of security bits in the public key is set to
-1. Subsequently various calls take place and if the number of security
bits is too small (which presumably -1 is) then you get the "ee key too
small" error.

By setting the security level to 0, the above is avoided and processing
gets further. SSL_CTX_use_certificate() next calls an internal function

The first thing ssl_set_cert() does is call X509_get0_pubkey() again. If
this return NULL then you get the "x509 lib" error.

Therefore, I believe there is a problem with the X509_get0_pubkey()
call, such that it is always returning NULL for your particular
certificate. The question is why? Are you able to share the certificate
file?  Are there any other errors on the error queue besides these ones?
There are a few different things that could cause this and a number of
them would add additional errors to the error queue.


openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/be3e9f02/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PushChatCert.pem
Type: application/octet-stream
Size: 2139 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/be3e9f02/attachment-0001.obj>

More information about the openssl-users mailing list