<div dir="ltr">I am asking a question regarding OpenSSL.  I thought the mailing list was the place.  I read this on the github page of OpenSSL<div><br></div><div><i>    If you have questions about how to use OpenSSL for specific tasks<br>    or how to solve certain problems you have when using it, you might<br>    want to ask them on the <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a> mailing list.<br>    There you can get help from a great community of OpenSSL users,<br>    not only (but including) the OpenSSL developers. For more information<br>    about our mailing lists, see<br>    <a href="https://www.openssl.org/community/mailinglists.html">https://www.openssl.org/community/mailinglists.html</a>.</i><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le ven. 16 déc. 2022, à 17 h 14, psv sridhar <<a href="mailto:psv_sridhar@yahoo.com">psv_sridhar@yahoo.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:"courier new",courier,monaco,monospace,sans-serif;font-size:16px"><div><div dir="ltr">you are sending flooded emails wrongly. stop it.</div><div><br></div><div><div><font color="#2d2d2d" face="arial"><b><var id="m_240327057844935802ydp9d3147a5yui-ie-cursor"></var></b></font> </div><div><font color="#2d2d2d" face="arial"><b>Thanks and Regards<br></b></font><font color="#2d2d2d" face="arial"><font color="#2d2d2d" face="arial"><b>Sridhar PSV</b></font></font></div><font color="#2d2d2d" face="arial"></font><div><font color="#2d2d2d" face="arial"><div><b>Phone 571 244-5862</b></div></font></div></div></div>
        <div><br></div><div><br></div>
        
        </div><div id="m_240327057844935802ydp7972b741yahoo_quoted_1513837487">
            <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
                
                <div>
                    On Friday, December 16, 2022 at 04:08:38 PM CST, Pierre-Luc Boily <<a href="mailto:pierreluc.boily@gmail.com" target="_blank">pierreluc.boily@gmail.com</a>> wrote:
                </div>
                <div><br></div>
                <div><br></div>
                <div><div id="m_240327057844935802ydp7972b741yiv9153410716"><div dir="ltr">Hello,<div><br></div><div><h2 style="margin:0px 0px 0.7em;padding:0px;border:0px;font-stretch:inherit;line-height:1.3;font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";vertical-align:baseline;color:rgb(35,38,41)"><u><font size="4">Details</font></u></h2></div><div>OS : WIndows 10</div><div>Arch : x64</div><div>Compiler : VisualStudio 2017</div><div><br></div><div><span style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif"">I have a </span><strong style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";vertical-align:baseline;color:rgb(35,38,41)">c++ wss <a href="https://github.com/machinezone/IXWebSocket" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline" rel="nofollow" target="_blank">IXWebSocket</a> client</strong><span style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif""> that tries to connect to a </span><strong style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";vertical-align:baseline;color:rgb(35,38,41)">nodejs https/websocket server</strong><span style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif""> but the client refuses to connect and returns the error : </span><em style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";vertical-align:baseline;color:rgb(35,38,41)">OpenSSL failed - error:0A000086:SSL routines::certificate verify failed</em></div><div><span style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;vertical-align:baseline"><h2 style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";margin:1.667em 0px 0.7em;padding:0px;border:0px;font-stretch:inherit;line-height:1.3;vertical-align:baseline"><font size="4"><u>What I tried</u></font></h2><ol style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";margin:0px 0px 1.1em 30px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;vertical-align:baseline;list-style-position:initial"><li style="margin-left:0px;margin-top:0px;margin-right:0px;padding:0px;border:0px;font-style:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"><span style="font-weight:inherit">I have a React front end using wss to communicate to my https nodejs server. </span><strong style="margin:0px;padding:0px;border:0px;font-style:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">It works -></strong><span style="font-weight:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"> </span><span style="margin:0px;padding:0px;border:0px;font-style:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"><b>This confirms that my key and certificate are valid.</b></span></li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">I also tried the same c++ client above, not secured (no wss) connecting to my same nodejs server, but http/websocket (non secure). <strong style="margin:0px;padding:0px;border:0px;font-style:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">It works</strong>.</li></ol><div style="color:rgb(35,38,41)"><font face="-apple-system, BlinkMacSystemFont, Segoe UI Adjusted, Segoe UI, Liberation Sans, sans-serif">So, I had to dig into the OpenSSL code and I found where the error is triggered, see code below.  In my case </font><font face="arial, sans-serif"><em style="color:rgb(36,41,47)">s->verify_mode</em><span style="color:rgb(36,41,47)"> is equal to </span><em style="color:rgb(36,41,47)">SSL_VERIFY_PEER</em><span style="color:rgb(36,41,47)"> and </span><em style="color:rgb(36,41,47)">i</em><span style="color:rgb(36,41,47)"> equal to </span><em style="color:rgb(36,41,47)">0</em></font><span style="color:rgb(36,41,47)"><font face="arial, sans-serif" style="background-color:inherit"> and I don't know if those values are OK or not.</font></span></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif""><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif,"Color UI""><br></span></div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif"><span style="color:rgb(36,41,47)">While I wa</span></font><font face="arial, sans-serif"><span style="color:rgb(36,41,47)">s</span><span style="color:rgb(36,41,47)"> digging i</span><span style="color:rgb(36,41,47)">nto the code, I also realized that <i>SSL_OP_NO_TLSv1_3</i> is automagically defined for my code.  I feel that it is incorrect</span></font><span style="font-family:-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif,"Color UI";color:rgb(36,41,47)">.</span></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif,"Color UI";font-size:14px"><br></span></div><div style="font-size:15px"><span style="font-size:14px"><b><u><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47)">From </font><font face="monospace" color="#0000ff">statem_clnt.c</font><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47)"> line 1888</font></u></b><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47);background-color:inherit">:</font></span></div><div><font face="monospace" color="#0000ff">    if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {<br>        SSLfatal(s, ssl_x509err2alert(s->verify_result),<br>                 SSL_R_CERTIFICATE_VERIFY_FAILED);<br>        return WORK_ERROR;<br>    }</font><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><u><b>Stacktrace</b></u>:</div><div><font face="monospace" size="1"><font color="#232629">>   </font><font color="#0000ff">libssl-3-x64.dll!tls_post_process_server_certificate(ssl_st<br>       libssl-3-x64.dll!ossl_statem_client_post_process_message(ss<br>  libssl-3-x64.dll!read_state_machine(ssl_st * s) Line 675        <br>     libssl-3-x64.dll!state_machine(ssl_st * s, int server) Line<br>  libssl-3-x64.dll!ossl_statem_connect(ssl_st * s) Line 266       <br>     libssl-3-x64.dll!SSL_do_handshake(ssl_st * s) Line 3937 C  <br>         libssl-3-x64.dll!SSL_connect(ssl_st * s) Line 1760      C      <br>   testWSClient.exe!ix::SocketOpenSSL::openSSLClientHandshake(<br>  testWSClient.exe!ix::SocketOpenSSL::connect(const std::basi<br>  testWSClient.exe!ix::WebSocketHandshake::clientHandshake(co<br>  testWSClient.exe!ix::WebSocketTransport::connectToUrl(const<br>  testWSClient.exe!ix::WebSocket::connect(int timeoutSecs) Li<br>  testWSClient.exe!ix::WebSocket::checkConnection(bool firstC<br>  testWSClient.exe!ix::WebSocket::run() Line 367  C++   </font></font><span style="font-size:15px;font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif""><font color="#0000ff" style="background-color:inherit">   </font><font color="#232629" style="background-color:inherit">  </font><br></span></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><u><b>IXWebClient, how key/cert are set </b>:</u></div><div><font face="monospace" color="#0000ff"><span style="font-size:15px">  </span>  ix::SocketTLSOptions tlsOptions;<br>    tlsOptions.certFile = "WebRTC.test.crt";<br>    tlsOptions.keyFile = "WebRTC.test.key";<br>    tlsOptions.caFile = "WebRTC-CA.pem";<br>    webSocket.setTLSOptions(tlsOptions);<br>    std::string url("wss://localhost:8080");<br>    webSocket.setUrl(url);</font><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><br></div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif">No matter if the path of the key/certificate exists or not, I have the same error message from OpenSSL, which is weird...</font></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"UI sans-serif";font-size:15px"><b><u>So :</u></b> </div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif">1. Any idea why I have <i>certificate verify failed</i>?</font></div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif">2. Is it normal that <em style="color:rgb(36,41,47)">s->verify_mode</em><span style="color:rgb(36,41,47)"> is equal to </span><em style="color:rgb(36,41,47)">SSL_VERIFY_PEER</em><span style="color:rgb(36,41,47)"> and </span><em style="color:rgb(36,41,47)">i</em><span style="color:rgb(36,41,47)"> equal to </span><em style="color:rgb(36,41,47)">0</em></font></div><div><font face="arial, sans-serif"><font color="#24292f">3. Is it normal that </font><span style="color:rgb(36,41,47)"><i>SSL_OP_NO_TLSv1_3</i> is enabled in the code?</span></font></div><div><span style="color:rgb(36,41,47);font-family:arial,sans-serif"><br></span></div><div><span style="color:rgb(36,41,47);font-family:arial,sans-serif">Thanks a lot for any help.</span></div></span></div></div>
</div></div>
            </div>
        </div></div></blockquote></div>