TLS 证书验证失败

Question

I need to have a code which performs 2-way authentication (client and server authenticates each other). My server is a TCP server. I intend to have TLS security added.

https://github.com/ospaarmann/exdgraph/wiki/TLS-client-authentication I generated client and server, CA certificates and key files using the link above.

Server side code:

    {
    SSL_CTX_set_options(
            ret, 
            SSL_OP_NO_SSLv2 | 
            SSL_OP_NO_SSLv3 |
            SSL_OP_NO_COMPRESSION
        );

        SSL_CTX_set_verify(
            ret, 
            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
            NULL
        );


        if (SSL_CTX_load_verify_locations(ret, NULL, "/home/ml5/tls_bio/MyRootCA.pem") == 0) {
                    fprintf(stderr, "Failed to load root certificates\n");
                    SSL_CTX_free(ret);
                    return NULL;
            }

        /*
         * We won't set any verification settings this time. Instead
         * we need to give OpenSSL our certificate and private key.
         */
        if (SSL_CTX_use_certificate_chain_file(ret, "MyServer.pem") != 1) {
            ssl_perror("SSL_CTX_use_certificate_file");
            SSL_CTX_free(ret);
            return NULL;
        }

        if (SSL_CTX_use_PrivateKey_file(ret, "MyServer.key", SSL_FILETYPE_PEM) != 1) {
            ssl_perror("SSL_CTX_use_PrivateKey_file");
            SSL_CTX_free(ret);
            return NULL;
        }

        printf("Loaded root certificates\n");
        /*
         * Check that the certificate (public key) and private key match.
         */
        if (SSL_CTX_check_private_key(ret) != 1) {
            fprintf(stderr, "certificate and private key do not match!\n");
            SSL_CTX_free(ret);
            return NULL;
        }
    }

client side code: =======================================================================

SSL_CTX *ret;

/* create a new SSL context */
ret = SSL_CTX_new(SSLv23_client_method( ));

if (ret == NULL) {
    fprintf(stderr, "SSL_CTX_new failed!\n");
    return NULL;
}

/* 
 * set our desired options 
 *
 * We don't want to talk to old SSLv2 or SSLv3 servers because
 * these protocols have security issues that could lead to the
 * connection being compromised. 
 *
 * Return value is the new set of options after adding these 
 * (we don't care).
 */
SSL_CTX_set_options(
    ret, 
    SSL_OP_NO_SSLv2 | 
    SSL_OP_NO_SSLv3 |
    SSL_OP_NO_COMPRESSION
);

/*
 * set up certificate verification
 *
 * We want the verification to fail if the peer doesn't 
 * offer any certificate. Otherwise it's easy to impersonate
 * a legitimate server just by offering no certificate.
 *
 * No error checking, not because I'm being sloppy, but because
 * these functions don't return error information.
 */
SSL_CTX_set_verify(
    ret, 
    SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
    NULL
);
SSL_CTX_set_verify_depth(ret, 4);

/*
 * Point our context at the root certificates.
 * This may vary depending on your system.
 */
if (SSL_CTX_load_verify_locations(ret, NULL, "/home/ml5/tls_bio_l1/MyRootCA.pem") == 0) {
    fprintf(stderr, "Failed to load root certificates\n");
    SSL_CTX_free(ret);  
    return NULL;
}

/*
 * We won't set any verification settings this time. Instead
 * we need to give OpenSSL our certificate and private key.
 */
if (SSL_CTX_use_certificate_chain_file(ret, "MyClient.pem") != 1) {
    SSL_CTX_free(ret);
    return NULL;
}

if (SSL_CTX_use_PrivateKey_file(ret, "MyClient.key", SSL_FILETYPE_PEM) != 1) {
    SSL_CTX_free(ret);
    return NULL;
}

printf("Loaded root certificates\n");
/*
 * Check that the certificate (public key) and private key match.
 */
if (SSL_CTX_check_private_key(ret) != 1) {
    fprintf(stderr, "certificate and private key do not match!\n");
    SSL_CTX_free(ret);
    return NULL;
}

I am unsure what is wrong because of which when I start the server and the client, I get the error as shown below on the client side: BIO_do_connect failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If I have my own verify callback on client and server ofcourse the 2-way authentication succeeds SSL_CTX_set_cert_verify_callback(ctx, always_true_callback, NULL);

But I think thats not how it is to be done. Any help in this regard to solve the error shown above, will be greatly appreciated.

Answer 1

Just to those who come-in here. The issue was relating to how I generated CA certificate, client/server certificates. Once I corrected those, it started working.