SSL_connect() produces certificate verify failure_问答_开发者

SSL_connect() produces certificate verify failure

开发者 https://www.devze.com 2023-01-08 18:08 出处：网络

I\'m currently rewriting some existing technologies that were once using RSA Security\'s libraries into OpenSSL, but I\'m starting to run into a few issues.Currently, all of the certificate verifi开发

I'm currently rewriting some existing technologies that were once using RSA Security's libraries into OpenSSL, but I'm starting to run into a few issues. Currently, all of the certificate verifi开发者_运维百科cation code appears to be running without a hitch, until that is, I call SSL_connect().

Before, the call to SSL_connect() would produce SSL_ERROR_WANT_READ.

An answer to this issue on another forum suggested to me that SSL_connect() should be called until it stops producing SSL_ERROR_WANT_READ errors. Unforunately, this only produces something more confusing:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

even though SSL_CTX_load_verify_locations() succeeds. Does anyone have any idea as to why a verification error wouldn't register with certificate methods and wait until SSL_connect() is triggered?

Usually this error means that the server certificate your client received in response to SSL_connect() couldn't be verified.

This can happen for different reasons:

If the server certificate is self-signed, you'll have to authorize that on your SSL_CONTEXT.
If the server certificate was signed by a certificate authority that is not in the list of trusted CA certificates
If the server certificate is not valid yet or not valid anymore

Actually, you should set a callback for certificate verification and make it accept any certificate, so you can focus on the connection part. Once it works, just tweak your callback or check your certificates to be valid.

At any time you get a failure, you can call some SSL_get_error() function that will indicate you why the certificate was rejected.

(Unfortunately, I can't access my code base right now, so I cannot give concrete examples)

Here are some code samples from my own SSL Socket wrapper class, adapted for you:

// ctx is a SSL_CONTEXT
// internalCertificateVerificationCallback is a callback static method (or function)
ctx->setVerify(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, internalCertificateVerificationCallback);

Here is the definition for internalCertificateVerificationCallback:

int SecureSocket::internalCertificateVerificationCallback(int preverify_ok, X509_STORE_CTX* x509_ctx)
{
  //preverify_ok contains 1 if the pre-verification succeeded, 0 otherwise.

  return 1; // This accepts every certificate
}