SSL Certs won't verify.

**Strobez** · 08-17-2017

I'm trying to get my head around Client/Server programming with the OpenSSL C API, I've managed to make requests and get the response on the client side, and there's no trouble when using my system CA bundle and connecting to Google for example, but when i create my own CA, and run a server using a certificate signed with an intermediate CA, i get the request on the server, and send a response, the client is getting that response but can't verify the certificate.

Can someone point out what i might be doing wrong?

Client side:

Code:

#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/ssl.h>

int main() {
    SSL_load_error_strings();
    ERR_load_BIO_strings();
    OpenSSL_add_all_algorithms();

    BIO * bio;
    SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
    SSL * ssl;
    char resp[4096];

    if(! SSL_CTX_load_verify_locations(ctx, "/root/Desktop/SSL/RootCA/RootCA.crt", NULL)) {
        printf("Error loading trust store!\n");
        return 0;
    }

    bio = BIO_new_ssl_connect(ctx);
    BIO_get_ssl(bio, & ssl);
    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

    BIO_set_conn_hostname(bio, "127.0.0.1:4433");


    if(BIO_do_connect(bio) <= 0) {
        printf("Error opening connection!\n");
        return 0;
    }

    if(SSL_get_verify_result(ssl) != X509_V_OK) {
        printf("Couldn't verify server certificate!\n");
        return 0;
    }

    if(BIO_write(bio, "GET / HTTP/1.1\n"
            "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\n\n", 500) <= 0) {
        printf("Error writing to socket!");
    }


    if(BIO_read(bio, resp, sizeof(resp)) <= 0) {
        printf("Error reading from socket!");
    } else { printf("%s", resp); }




    SSL_CTX_free(ctx);
    BIO_free_all(bio);

    return 0;
}

Server side:

Code:

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

int create_socket(int port) {
    int s;
    struct sockaddr_in addr;

    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = htonl(INADDR_ANY);

    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0) {
        perror("Unable to create socket");
        exit(EXIT_FAILURE);
    }

    if (bind(s, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
        perror("Unable to bind");
        exit(EXIT_FAILURE);
    }

    if (listen(s, 1) < 0) {
        perror("Unable to listen");
        exit(EXIT_FAILURE);
    }

    return s;
}

void init_openssl() {
    SSL_load_error_strings();
    OpenSSL_add_ssl_algorithms();
}

void cleanup_openssl() {
    EVP_cleanup();
}

SSL_CTX *create_context() {
    const SSL_METHOD *method;
    SSL_CTX *ctx;

    method = SSLv23_server_method();

    ctx = SSL_CTX_new(method);
    if (!ctx) {
        perror("Unable to create SSL context");
        ERR_print_errors_fp(stderr);
        exit(EXIT_FAILURE);
    }

    return ctx;
}

void configure_context(SSL_CTX *ctx) {
    SSL_CTX_set_ecdh_auto(ctx, 1);

    /* Set the key and cert */
    if (SSL_CTX_use_certificate_file(ctx, "/root/Desktop/SSL/Server/server.crt", SSL_FILETYPE_PEM) <= 0) {
        ERR_print_errors_fp(stderr);
        exit(EXIT_FAILURE);
    }

    if (SSL_CTX_use_PrivateKey_file(ctx, "/root/Desktop/SSL/Server/server.key", SSL_FILETYPE_PEM) <= 0 ) {
        ERR_print_errors_fp(stderr);
        exit(EXIT_FAILURE);
    }
}

int main(int argc, char **argv) {
    int sock;
    SSL_CTX *ctx;

    init_openssl();
    ctx = create_context();

    configure_context(ctx);

    sock = create_socket(4433);

    /* Handle connections */
    while(1) {
        struct sockaddr_in addr;
        uint len = sizeof(addr);
        SSL ........l;
        const char reply[] = "test\n";

        int client = accept(sock, (struct sockaddr*)&addr, &len);
        if (client < 0) {
            perror("Unable to accept");
            exit(EXIT_FAILURE);
        }

        ssl = SSL_new(ctx);
        SSL_set_fd(ssl, client);

        if (SSL_accept(ssl) <= 0) {
            ERR_print_errors_fp(stderr);
        }
        else {
            SSL_write(ssl, reply, sizeof(reply));
        }

        SSL_free(ssl);
        close(client);
    }

    close(sock);
    SSL_CTX_free(ctx);
    cleanup_openssl();
}

I have a directory called SSL inside that directory is 3 other folders:
RootCA
IntCA
Server

The process i used to create certificates is as follows, from within the SSL directory:

openssl genrsa -out RootCA.key 4096

openssl req -new -x509 -days 100000 -key RootCA.key -out RootCA.crt

openssl genrsa -out IntCA.key 4096

openssl req -new -key IntCA.key -out IntCA.csr

openssl x509 -req -days 100000 -in IntCA.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out IntCA.crt

openssl genrsa -out server.key 4096

openssl req -new -key server.key -out server.csr

openssl x509 -req -in server.csr -CA IntCA.crt -CAkey IntCA.key -set_serial 01 -out server.crt -days 1000 -sha1

mv RootCA.* RootCA; mv IntCA.* IntCA; mv server.* Server

At this point i'm not sure if it's a problem with the way certificates have been created or an issue with the code, most of which was basically from ibm.com examples and the server is a mixture of code snippets.

**whiteflags** · 08-17-2017

Have you imported your CA into your browser(s) and told them that you trust them? Self signed certificates aren't considered safe for the internet so most clients would bark (like a browser).

Also you can do it in one line:

Code:

 openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

**Strobez** · 08-17-2017

I'm using OpenSSL C API for both client and server. After using openssl s_client -connect localhost:4433 -CAfile /path/to/ca.crt in the terminal, it shows there is a problem with chain of trust. I guessed that means i need to create a CA bundle with both Root and Intermediate certificates. So i tried that, but now it's telling me it's an invalid CA certificate.
I'm fairly sure the CA bundle is correct but i could be wrong.. Is there some way in OpenSSL to chose a bundle instead of a single certificate, or is it the same?
If there's not meant to be a change in the code then it's possible something is wrong with the way i have created the bundle.crt file.

**whiteflags** · 08-18-2017

I didn't promise that there wouldn't be changes to the code. There are examples online of how to verify certs with OpenSSL. Maybe you just haven't read far enough into the resource that you are using, but OpenSSL tends to involve many functions. I strongly suspect the example that you've cobbled together was never meant to validate anything. So, even a negative response is expected, in this case. Validation from the server code involves a handful of functions that you aren't using: certverify.c - example 'C' code for certificate validation

Note in this example how CA_bundlestr[] was used, among other things.

**Strobez** · 08-18-2017

I removed the Intermediate CA and signed the server cert directly with the RootCA, then used RootCA to verify the server.
It now works, however not as i'd hoped.
For now i guess it's not a C programming question, but if anyone has any suggestions as to what went wrong, feel free to leave them here.
Any time i try load a Ca bundle with more than one CA cert, i get errors.

**Strobez** · 08-18-2017

I posted below, it's working when i remove the Intermediate cert from the picture. Any ideas why i can't verify the while chain? I'm fairly sure the bundle file was okay.

**Strobez** · 08-18-2017

Turns out there was a problem with how the certificates were created. I followed another guide to create RootCA and IntCA, signed the server cert using IntCA, created a bundle using RootCA.crt and IntCA.crt, now it's working as expected.

Thread: SSL Certs won't verify.

Thread Tools

Search Thread

Display

SSL Certs won't verify.

Similar Threads

matrix nxn with verify

How To Get HR and VERIFY

verify EOF

verify input

Tags for this Thread