[英]TLS certificate verification failure
I need to have a code which performs 2-way authentication (client and server authenticates each other).我需要一个执行双向身份验证的代码(客户端和服务器相互验证)。 My server is a TCP server.
我的服务器是 TCP 服务器。 I intend to have TLS security added.
我打算添加 TLS 安全性。
https://github.com/ospaarmann/exdgraph/wiki/TLS-client-authentication I generated client and server, CA certificates and key files using the link above. https://github.com/ospaarmann/exdgraph/wiki/TLS-client-authentication我使用上面的链接生成了客户端和服务器、CA 证书和密钥文件。
{
SSL_CTX_set_options(
ret,
SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION
);
SSL_CTX_set_verify(
ret,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL
);
if (SSL_CTX_load_verify_locations(ret, NULL, "/home/ml5/tls_bio/MyRootCA.pem") == 0) {
fprintf(stderr, "Failed to load root certificates\n");
SSL_CTX_free(ret);
return NULL;
}
/*
* We won't set any verification settings this time. Instead
* we need to give OpenSSL our certificate and private key.
*/
if (SSL_CTX_use_certificate_chain_file(ret, "MyServer.pem") != 1) {
ssl_perror("SSL_CTX_use_certificate_file");
SSL_CTX_free(ret);
return NULL;
}
if (SSL_CTX_use_PrivateKey_file(ret, "MyServer.key", SSL_FILETYPE_PEM) != 1) {
ssl_perror("SSL_CTX_use_PrivateKey_file");
SSL_CTX_free(ret);
return NULL;
}
printf("Loaded root certificates\n");
/*
* Check that the certificate (public key) and private key match.
*/
if (SSL_CTX_check_private_key(ret) != 1) {
fprintf(stderr, "certificate and private key do not match!\n");
SSL_CTX_free(ret);
return NULL;
}
}
client side code: =======================================================================客户端代码:=============================================== ==========================
SSL_CTX *ret;
/* create a new SSL context */
ret = SSL_CTX_new(SSLv23_client_method( ));
if (ret == NULL) {
fprintf(stderr, "SSL_CTX_new failed!\n");
return NULL;
}
/*
* set our desired options
*
* We don't want to talk to old SSLv2 or SSLv3 servers because
* these protocols have security issues that could lead to the
* connection being compromised.
*
* Return value is the new set of options after adding these
* (we don't care).
*/
SSL_CTX_set_options(
ret,
SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION
);
/*
* set up certificate verification
*
* We want the verification to fail if the peer doesn't
* offer any certificate. Otherwise it's easy to impersonate
* a legitimate server just by offering no certificate.
*
* No error checking, not because I'm being sloppy, but because
* these functions don't return error information.
*/
SSL_CTX_set_verify(
ret,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL
);
SSL_CTX_set_verify_depth(ret, 4);
/*
* Point our context at the root certificates.
* This may vary depending on your system.
*/
if (SSL_CTX_load_verify_locations(ret, NULL, "/home/ml5/tls_bio_l1/MyRootCA.pem") == 0) {
fprintf(stderr, "Failed to load root certificates\n");
SSL_CTX_free(ret);
return NULL;
}
/*
* We won't set any verification settings this time. Instead
* we need to give OpenSSL our certificate and private key.
*/
if (SSL_CTX_use_certificate_chain_file(ret, "MyClient.pem") != 1) {
SSL_CTX_free(ret);
return NULL;
}
if (SSL_CTX_use_PrivateKey_file(ret, "MyClient.key", SSL_FILETYPE_PEM) != 1) {
SSL_CTX_free(ret);
return NULL;
}
printf("Loaded root certificates\n");
/*
* Check that the certificate (public key) and private key match.
*/
if (SSL_CTX_check_private_key(ret) != 1) {
fprintf(stderr, "certificate and private key do not match!\n");
SSL_CTX_free(ret);
return NULL;
}
I am unsure what is wrong because of which when I start the server and the client, I get the error as shown below on the client side: BIO_do_connect failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed我不确定出了什么问题,因为当我启动服务器和客户端时,我在客户端收到如下所示的错误: BIO_do_connect failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I have my own verify callback on client and server ofcourse the 2-way authentication succeeds SSL_CTX_set_cert_verify_callback(ctx, always_true_callback, NULL);如果我在客户端和服务器上有自己的验证回调,那么 2 向身份验证成功 SSL_CTX_set_cert_verify_callback(ctx, always_true_callback, NULL);
But I think thats not how it is to be done.但我认为这不是应该做的。 Any help in this regard to solve the error shown above, will be greatly appreciated.
在这方面解决上述错误的任何帮助,将不胜感激。
Just to those who come-in here.只给那些进来的人。 The issue was relating to how I generated CA certificate, client/server certificates.
问题与我如何生成 CA 证书、客户端/服务器证书有关。 Once I corrected those, it started working.
一旦我纠正了这些,它就开始工作了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.