[openssl-users] SSL alert number 48

wizard2010 at gmail.com wizard2010 at gmail.com
Wed Nov 29 13:44:01 UTC 2017


On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:

> On Tue, Nov 28, 2017 at 10:03:12AM +0000, wizard2010 at gmail.com wrote:
>
> > I guess my problem is really related to verify callback
> > on SSL_CTX_set_verify function.
> > I just add to my code a dummy callback returning 1 and everything works
> > properly.
> >
> >
> > > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > {
> > >     printf("Verification callback OK!\n");
> > >     return 1;
> > > }
> > > ...
> > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>
> The above completely disables authentication of the peer certificate,
> and makes your application vulnerable to man-in-the-middle attacks.
> Perhaps that's OK, but often it is not.
>

Why did you say that code disable the authentication?
One thing that I didn't understand is what type of verification is made on
SSL_CTX_set_verify function.
And what is supposed/right thing to do on  verify_callback in order to
perform the client certificate authentication?

Kind regards.


> > The problem is that error don't tell much information about what's really
> > going on or what's really missing.
>
> When the verification callback is failing, the peer's certificate
> chain is either incomplete or is using a trust-anchor (root CA)
> that is not configured as trusted on your end.
>
> --
>         Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/44b59740/attachment.html>


More information about the openssl-users mailing list