1

I'm trying to establish an SSL connection using OpenSSL from my embedded Linux device to the self-signed certificate, This is my code :

/* Set up the library */    
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();

/* Set up the SSL context */
m_ctx = SSL_CTX_new( TLSv1_method());

/* Load the trust store */
if(! SSL_CTX_load_verify_locations(m_ctx, "../certificate.pem", NULL))
{
    fprintf(stderr, "Error loading trust store\n");
    ERR_print_errors_fp(stderr);
    SSL_CTX_free(m_ctx);
    return FALSE;
}

/* Setup the connection */
 m_bio = BIO_new_ssl_connect(m_ctx);

/* Set the SSL_MODE_AUTO_RETRY flag */
BIO_get_ssl(m_bio, & m_ssl);
SSL_set_mode(m_ssl, SSL_MODE_AUTO_RETRY);

/* Create and setup the connection */
BIO_set_conn_hostname(m_bio, (QString( serverAddress) + ":"+QString::number(serverPort)).toAscii().constData()  );
if(BIO_do_connect(m_bio) <= 0)
{
    fprintf(stderr, "Error attempting to connect\n");
    ERR_print_errors_fp(stderr);
    BIO_free_all(m_bio);
    SSL_CTX_free(m_ctx);
    IsConnected = false;

    return FALSE;
}

SSL_get_peer_certificate(m_ssl);

/* Check the certificate */
if(SSL_get_verify_result(m_ssl) != X509_V_OK)
{
    fprintf(stderr, "Certificate verification error: %ld\n", SSL_get_verify_result(m_ssl));
    BIO_free_all(m_bio);
    SSL_CTX_free(m_ctx);
    return FALSE;
}

The code above successfully connected to server, but SSL_get_verify_result function return error:18 which mean :

18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
the passed certificate is self-signed and the same certificate cannot
be found in the list of trusted

Also, I can Check server via web browsers and connect server via my embedded Linux OpenSSL command :

openssl s_client -connect hostIP:443 -tls1

They both are connected and display content successfully, and I'm completely mixed up why SSL_get_verify_result does not verify, while web browser and OpenSSL command line are OK.

Also how Webroster and OpenSSL from the command line does not require to load certificate file(I guess they received it ), while in my code it is required me to introduce certificate file by 

SSL_CTX_load_verify_locations(m_ctx, "../certificate.pem", NULL)

Also, I export certificate file of the host from Firefox and feed my code with this file but SAME RESULT ! how Firefox work with this file but my code is unable?

EDIT: The problem was because of differences in time setting in the server and cilent,actually server time setting was client date + 1 , then when server create certificate ,it's beginOn parameter was set to 3,5,2018 while client date was 3,4,2018. actually openssl command line was display some error about this matter but I was not care to.but I have no Idea why firefox completely ignore beginOn and work fine , also why SSL_get_verify_result does not returned correct error code?Thank you all for your guidance.

MHD
  • 71
  • 2
  • 11
  • You should have a look at [SSL/TLS Client](https://wiki.openssl.org/index.php/SSL/TLS_Client) on the OpenSSL wiki. – jww Mar 04 '18 at 14:50
  • C++ can make it easier to use OpenSSL. You can avoid explicit calls to functions like `SSL_CTX_free` by using `unique_ptr`. See [EVP Symmetric Encryption and Decryption | C++ Programs](http://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption#C.2B.2B_Programs) on the OpenSSL wiki, [unique_ptr and OpenSSL's STACK_OF(X509)*](http://stackoverflow.com/q/38145761/608639), [How to get PKCS7_sign result into a char * or std::string](http://stackoverflow.com/a/38079093/608639), etc. – jww Mar 04 '18 at 15:05
  • Please post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. And please post the output of `certificate.pem`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. – jww Mar 04 '18 at 15:07
  • My guess is that your certificate is self-signed but not a CA certificate. OpenSSL expects only CA certificates as verify location and ignores anything else. But this is just a guess since you did neither provide the certificate nor the instructions on how you created it. – Steffen Ullrich Mar 04 '18 at 15:32
  • Really Thank you for your answers, The problem was because of differences in timing setting in client,server, I will edit my question for putting answer. – MHD Mar 05 '18 at 05:09

0 Answers0