All geek questions in one place

SSL_CTX_use_PrivateKey_file () error

I am writing a client application in Windows that establishes an SSL connection with a server, and the server requests a client certificate for authentication. The server provides me with a .pfx file, then I use the openssl command-line tool to get the certificate and private key as follows:

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem openssl pkcs12 -in filename.pfx -nocerts -out key.pem

after that I try to download the certificate and private key with functions from openssl, as shown below, but SSL_CTX_use_PrivateKey_file() always fails, error message " error:0906D06C:PEM routines:PEM_read_bio:no start line ", I can’t understand why, can someone give me some enlightenment? Here is the code.

 #include "openssl/ssl.h" #include "openssl/err.h" #include <stdio.h> #include <string> int InitClientCtx() { OpenSSL_add_ssl_algorithms(); SSL_CTX* m_pClientCtx; m_pClientCtx = SSL_CTX_new(SSLv23_method()); if(!m_pClientCtx) { return -1; } ::SSL_CTX_set_options(m_pClientCtx, SSL_OP_ALL); //for well-known bugs int nRet = 0; std::string sCertFilePath = "C:\\cert.pem"; nRet = SSL_CTX_use_certificate_chain_file(m_pClientCtx, sCertFilePath.c_str()); std::string sKeyPassWord = "123456"; SSL_CTX_set_default_passwd_cb_userdata(m_pClientCtx, (void*)(sKeyPassWord.c_str())); std::string sKeyFilePath = "C:\\key.pem"; // this method returned 0, which means it failed. nRet = SSL_CTX_use_PrivateKey_file(m_pClientCtx, sKeyFilePath.c_str(), SSL_FILETYPE_PEM); SSL_load_error_strings(); unsigned long n = ERR_get_error(); char buf[1024]; printf("%s\n", ERR_error_string(n, buf)); nRet = SSL_CTX_check_private_key(m_pClientCtx); if (nRet <= 0) { return -1; } /*std::string sCACertFilePath; nRet = SSL_CTX_load_verify_locations(m_pClientCtx, sCACertFilePath.c_str(), NULL);*/ return 0; } int main() { InitClientCtx(); return 0; };
+10
source share
5 answers

I myself have solved this problem. I generated key.pem using OpenSSL for Windows, when CMD prompts me to enter a missing phrase, I just typed Enter because I did not need a pass phrase, but key.pem was invalid (neither BEGIN and END ). When I generate the private key in Linux, the terminal prompts I have to enter the passphrase, and I do it. Then I delete the key transfer phrase with this command:

openssl rsa -in key.pem -out newkey.pem

After that I open key.pem in a text editor, it starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY----- . And SSL_CTX_use_PrivateKey_file () just works great!

+4
source

In my case, the error was that the PEM file did not contain either a key or a certificate.

Make sure the file contains both sections:

 -----BEGIN PRIVATE KEY----- jhajk838383jks..... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- yoe55wjcxnshre..... -----END CERTIFICATE KEY-----

I .key and .crt files that I already had in my Apache configuration to create a .pem file.

The "no start line" error is certainly misleading, as you can have a great "BEGIN" line in your PEM file and still get the error.

+11
source

The error:0906D06C:PEM routines:PEM_read_bio:no start line is that in the cert.pem file and in the key.pem do not start with -----BEGIN CERTIFICATE----- and -----BEGIN ENCRYPTED PRIVATE KEY----- .

If you open your cert.pem and key.pem file in a text editor and drop everything before the BEGIN markers, you should be good.

When you create a certificate and a key pair using the Certificate Signing Request , you will not receive this additional information.

+5
source

There is an example client in the openssl demo / openssl directory.

Edit:

 meth = SSLv2_client_method();

in your case:

 meth = SSLv23_client_method();

Try this example and see where it does not work.

Are you sure the password for the key is 123456?

0
source

I had the same problem in NGINX when installing an SSL certificate, and I solved it as follows:

  • Go to the folder where you have the certificate and pem files.
  • Open the ca-bundle.crt and copy everything, sudo nano your fileName select everything and copy. file looks like

----- BEGIN CERTIFICATE ----- MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjbB ...

----- END CERTIFICATE -----

----- BEGIN CertifyCate

----- END CERTIFICATE -----

--- BEGIN CERTIFICATE

  • Open the pem file using sudo nano your fileName.pem
  • You will see a code similar to

----- BEGIN CERTIFICATE ----- MIIGLzCCBRegAwIBAgIIWI4ndTQi3MwwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB / wQEAwIF oDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkaWcy

----- END CERTIFICATE -----

  • After -----END CERTIFICATE----- paste all the code copied from the ca-bundle.crt file and save it
  • Restart the Nginx server with the following sudo service nginx restart command

The above steps helped me in my Nginx and SSL configuration

0
source

Source: https://habr.com/ru/post/954676/

More articles:


All Articles