5

I am trying to load CA certificate from memory instead of file. But I keep getting handshake error while connecting. The file loading works perfectly, memory loading fails. What am I missing? 

std::ifstream file("message_server_ca.crt");
std::vector<char> fileContents((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>());
boost::asio::const_buffer buffer(&fileContents.at(0),fileContents.size());

bool useFile = false;  // switch between file and memory loading.
boost::asio::ssl::context ctx(io_service, boost::asio::ssl::context::sslv23);
ctx.set_verify_mode(boost::asio::ssl::context::verify_peer);

if(useFile)
{
    // This works perfectly!
    ctx.load_verify_file("message_server_ca.crt");
}
else
{
    // This fails the handshake (asio.ssl:336134278)
    ctx.use_certificate(buffer,boost::asio::ssl::context_base::pem);
}

client c(io_service, ctx, iterator);
io_service.run();
Sharath
  • 1,627
  • 2
  • 18
  • 34
  • You are using two different functions. `load_verify_file` vs. `use_certificate`. It should be `use_certificate` vs. `use_certificate_file`. – Stephan Dollberg Mar 13 '14 at 07:31
  • use_certificate_file doesn't work either. So I used load_verify_file which works. – Sharath Mar 13 '14 at 07:48
  • I saw in other threads about use_private_key_file method. But this is a SSL client and I don't specify private key while using load_verify_file method. – Sharath Mar 13 '14 at 07:57
  • use the error code version of [`use_certificate`](http://www.boost.org/doc/libs/1_54_0/doc/html/boost_asio/reference/ssl__context/use_certificate/overload2.html) and find the error description. – jfly Mar 13 '14 at 09:34
  • I have tried that too, it doesn't give any error there. The error happen during handshake, when I call socket_.lowest_layer().async_connect() function. – Sharath Mar 13 '14 at 09:42
  • Just edited the problem to mention I am talking about CA certificate. – Sharath Mar 13 '14 at 10:49
  • 1
    This can be done with pure openssl api but I never used the boost wrapper. If you are using `SSL_CTX_use_certificate()` with a **self signed** ca cert then you probably get a `X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY` error. When I use a self signed cert (or certs) in my ca bundle then I create my `X509` objects (can do that from memory) and I use one of the following function call combinations: 1.) `X509_STORE_new()` `X509_STORE_add_cert()` `SSL_CTX_set_cert_store()` 2.) `SSL_CTX_get_cert_store()` `X509_STORE_add_cert()`. Try searching for these in the source of the boost implementation. – pasztorpisti Mar 13 '14 at 12:33

1 Answers1

3

It appears that you want add_certificate_authority():

This function is used to add one trusted certification authority from a memory buffer.

use_certificate() and use_certificate_file() are for the server or client certificate presented in the handshake, i.e. not the CA used to test those certificates.

These functions (load_verify_file() and add_certificate_authority()) are not consistently named. I guess it is because the memory buffer versions were added relatively recently.

rhashimoto
  • 15,650
  • 2
  • 52
  • 80