21

I'm trying to run the SSL examples from boost::asio and I'm getting an "Invalid argument" exception when I run them. I'm on Linux x86_64.

http://www.boost.org/doc/libs/1_46_1/doc/html/boost_asio/example/ssl/client.cpp

http://www.boost.org/doc/libs/1_46_1/doc/html/boost_asio/example/ssl/server.cpp

Compiled with:

g++ server.cpp -o server -lboost_system -lssl
g++ client.cpp -o client -lboost_system -lssl

Run like:

$ ./server 
Usage: server <port>
$ ./server 10000
Exception: Invalid argument
$ ./server 1000
Exception: Permission denied
$ sudo ./server 1000
Exception: Invalid argument

Not sure what the problem is :( Any help would be greatly appreciated.

Thanks!

NmdMystery
  • 2,778
  • 3
  • 32
  • 60
Shootfast
  • 1,918
  • 2
  • 17
  • 27

3 Answers3

49

OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux:

//Generate a private key

openssl genrsa -des3 -out server.key 1024

//Generate Certificate signing request

openssl req -new -key server.key -out server.csr

//Sign certificate with private key

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

//Remove password requirement (needed for example)

cp server.key server.key.secure
openssl rsa -in server.key.secure -out server.key

//Generate dhparam file

openssl dhparam -out dh512.pem 512

Once you've done that, you need to change the filenames in server.cpp and client.cpp.

server.cpp

context_.use_certificate_chain_file("server.crt"); 
context_.use_private_key_file("server.key", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("dh512.pem");

client.cpp

ctx.load_verify_file("server.crt");

Then it should all work!

Shootfast
  • 1,918
  • 2
  • 17
  • 27
  • 1
    Works perfeclty, -des3 option can be ommited, so we do noet need removing password. All files are in pem format so we can create single server.pem file by combining server.crt server.key and dh512.pem. – Fantastory Oct 15 '12 at 18:41
  • By the way, in the step "Generate Certificate signing request" some questions are asked. From http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates I was able to know that the only required information is "Common Name" which must match the hostname. – Tarc May 08 '14 at 10:11
  • 5
    I leave this comment, because someone will face an error message like me. ( Handshake failed: asio.ssl:336077172 ). this means ( Handshake failed: dh key too small ). you can check this message in error.message(); and it's because of dh512.pem. 512 bit is too small. recently the limitation is changed, we should use over 512 bit. > openssl dhparam -out dh1024.pem 1024 – JungJik Lee Jul 16 '15 at 01:36
3

Execute the tests again with strace to see which syscall gets the EINVAL, as a bonus you'll get to see the args for the failing call. It's likely part of the security context setup that's failing, unless you have the right files and data from the example:

context_.use_certificate_chain_file("server.pem");
context_.use_private_key_file("server.pem", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("dh512.pem");

You were getting EPERM because you were trying to bind to a privileged TCP port (one whose value is less than 1024). That's why ./server 10000 does not get EPERM.

Brian Cain
  • 14,403
  • 3
  • 50
  • 88
  • Thanks for the reply, There are no EPERM errors in the strace output, however there is: `open("server.pem", O_RDONLY) = -1 ENOENT (No such file or directory)` right before the exception printing. Googling further I think I may have to create some SSL certificates. Which makes sense :P Thanks for the strace tip, I always forget about it! – Shootfast Nov 08 '11 at 06:37
0

When following the answer of @Shootfast an error appered: 'bad SSL configuration: use_certificate_chain_file: ee key too small'

Changing the first line:

openssl genrsa -des3 -out server.key 1024

to:

openssl genrsa -des3 -out server.key 2048

fixed it for me.

After that I got the error: 'bad SSL configuration: use_private_key_file: no start line' the reason and solution to this is explained here: solution (It is more or less the reason for the last command of @Shootfast answer.)

LC117
  • 426
  • 4
  • 12