All geek questions in one place

SSL_connect () invokes certificate verification

I am currently rewriting some existing technologies that once used RSA Security libraries in OpenSSL, but I am starting to encounter several problems. Currently, all certificate confirmation code works without failures, until this happens, I call SSL_connect ().

Prior to this, calling SSL_connect () would create SSL_ERROR_WANT_READ.

The answer to this question in another forum suggested that SSL_connect () should be called until it stops throwing SSL_ERROR_WANT_READ errors. Unfortunately, this only creates something more confusing:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

although SSL_CTX_load_verify_locations () completed successfully. Does anyone know why a validation error will not be logged in certificate methods and wait until SSL_connect () is called?

+3
source share
1 answer

Usually this error means that the server certificate received by your client in response to SSL_connect()cannot be verified.

This can happen for various reasons:

  • If the server certificate is self-signed, you must authorize it to SSL_CONTEXT.
  • If the server certificate was signed by a certification authority that is not on the CA list of trusted certificates
  • If the server certificate is still invalid or is no longer valid

, , . , , .

, , SSL_get_error(), , .

( , , )

SSL Socket, :

// ctx is a SSL_CONTEXT
// internalCertificateVerificationCallback is a callback static method (or function)
ctx->setVerify(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, internalCertificateVerificationCallback);

internalCertificateVerificationCallback:

int SecureSocket::internalCertificateVerificationCallback(int preverify_ok, X509_STORE_CTX* x509_ctx)
{
  //preverify_ok contains 1 if the pre-verification succeeded, 0 otherwise.

  return 1; // This accepts every certificate
}
+4

Source: https://habr.com/ru/post/1755708/

More articles:


All Articles