[openssl-users] SSL alert number 48
wizard2010 at gmail.com
wizard2010 at gmail.com
Tue Nov 28 10:03:12 UTC 2017
Hi there.
I guess my problem is really related to verify callback
on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works
properly.
> int verify_callback (int ok, X509_STORE_CTX *ctx);
> int verify_callback (int ok, X509_STORE_CTX *ctx)
> {
> printf("Verification callback OK!\n");
> return 1;
> }
> ...
> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
> ...
The problem is that error don't tell much information about what's really
going on or what's really missing.
Thanks for your help.
Kind regards.
On Tue, Nov 28, 2017 at 9:11 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
> Hi,
>
> On 27/11/17 17:07, wizard2010 at gmail.com wrote:
>
> Hi there.
>
> I'm getting this error on a TLS server&client that I'm implementing and I
> can't really understand what I'm doing wrong.
>
> 139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
>> unknown ca:s3_pkt.c:1487:SSL alert number 48
>> 139853560931992:error:140790E5:SSL routines:ssl23_write:ssl handshake
>> failure:s23_lib.c:177:
>
>
> This is the code of my server: https://pastebin.com/Fyuki8v0 and I
> generate the certificates this way: https://pastebin.com/CDRKU2Gc
> And I'm testing the server this way: openssl s_client -host 127.0.0.1
> -port 4444 -cert client.crt -key client.key -CAfile ca.crt
>
> If I run a server this way openssl s_server -key server.key -cert
> server.crt -CAfile ca.crt -accept 4444
> I'm able to communicate with the same certificates and on my server code I
> always get:
>
>> Handshake Error 1
>> SSL_ERROR_SSL...
>
>
> This is the result of openssl s_client command:
> https://pastebin.com/AWid1mxi
>
> FWIW: I've downloaded and compiled your code, generated certs using your
> script (which generates a client and server cert with the same serial
> number, BTW) and ran the code: I can connect just fine using either openssl
> 1.0.1e or 1.1.0e
>
> My bet is that when you run your code you are not loading the right ca.crt
> file ; another way to debug is , is to add a x509 verify callback which
> prints out each cert as it is passed for verification.
>
> HTH,
>
> JJK
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171128/a33e8aaa/attachment-0001.html>
More information about the openssl-users
mailing list