i working example apps in "networking security openssl" book , until have been able client/server examples 1,2,3 work. i'm trying connect in-house tool i'm getting error "error 18:self signed certificate". despite error when run app (essentially client3), when use s_client same credentials...it works.
i suspect has ssl/tls api combination use in 'client3' app.
here's command , output s_client connects in-house tool works:
~/tls/client$ openssl s_client -connect 192.168.1.99:16001 -cafile ../_security/sipinspector/certificate.pem -key ../_security/client.pem enter pass phrase ../_security/client.pem: connected(00000003) depth=0 c = ca, st = ontario, l = ottawa, o = sip inspector ltd, ou = development, cn = 192.168.1.99 verify return:1 --- certificate chain 0 s:/c=ca/st=ontario/l=ottawa/o=sip inspector ltd/ou=development/cn=192.168.1.99 i:/c=ca/st=ontario/l=ottawa/o=sip inspector ltd/ou=development/cn=192.168.1.99 --- server certificate -----begin certificate----- miifxtcca62gawibagijalkq3j5seyjpma0gcsqgsib3dqebcwuamhkxczajbgnv baytaknbmrawdgydvqqidadpbnrhcmlvmq8wdqydvqqhdazpdhrhd2exgjaybgnv baomevnjucbjbnnwzwn0b3igthrkmrqwegydvqqldatezxzlbg9wbwvuddevmbmg a1ueawwmmtkylje2oc4xljk5mb4xdte2mduynze4ndeym1oxdte3mduynze4ndey m1owetelmakga1uebhmcq0exedaobgnvbagmb09udgfyaw8xdzanbgnvbacmbk90 dgf3yteambgga1uecgwru0lqieluc3bly3rvcibmdgqxfdasbgnvbasmc0rldmvs b3btzw50mruwewydvqqddawxotiumty4ljeuotkwggiima0gcsqgsib3dqebaqua a4icdwawggikaoicaqc2izxpwl3mcyfpnqhsnx6yqcchjbmvr6hvwnyi8jokmujq /x6nueiamvqmmr9eao4vgy7pmzsidyaoenwt6y8kikes1aqu1d6yzi+gjwbqycyt mr8h+ykmw091f/xpb4rlabhqmzwc3qcoz6yp4ugkkpjnvgswvgkjg2ojgi8gakkp wloscwqrlhq85i+ekaha127q4f8ykwxjt5fyu7bh8xk4e/oq5zjyfrd/gl5lm/wh xlpbrxb+a3nm570ezhvfnjag8priknppcomubslgzx6veegyq3jceuh+qihtzqbb ebiu5xsiwskfdo1gz6mfwnysrwrgyma6ctgvrhttrsv1knwuv9citwaurysyw9s3 kmr5ubj6uxqowkt+yk2l9jtcxr/k0swxsxqvvhksu8wazd09slyfkya/wj+lb//u ge7bxvi2lrr8n4c1mvm3vfetcw1wjxcrsflfsdsryhgp+6fxki28krqcu4zze53p gfrej0vqfjsuskdjx0m0pc9enlnytkpwslcccoheiuugiaiqcilw/3bsghyxqrz9 ljvkjqv0r5yblibxmbv4dh8zks/2a/ofxq6uhh0oam7o9ti65ndag5/k904bhvox xfjzmygsan8kxzg30ve35oua34devkb6phy2qlxokkg5pacab35+5avu/aah0qid aqabo1awtjadbgnvhq4efgquz78gctqa4uhoka8uc0hpdw8/i1awhwydvr0jbbgw foauz78gctqa4uhoka8uc0hpdw8/i1awdaydvr0tbauwaweb/zanbgkqhkig9w0b aqsfaaocageaviihjne36qrjb/gowdaqjtvpv3wax/y7fzumzhyqqvs7ekukppoi nd+n6lluln/cmqxn2qslssagh2e3i4tthwu4d6pqkz+4dvcvakkk5bflpzahbpla ojswpmu5ekl754fhjuidy6wsrtwykhrecf6tlbwre2/dswxednn08xtwge27gwir i69wygaqfmxppxrqgwfmhobhyuvbj1xhj4+i3tdmkli0pobasu3ley8kt6skvx8f vkjt8a+cvwj+6ctgpswvfvjsnnds8al/7gpnrdmfr+ksc9htjvm9orwv+yrompzb yfauf3fhv23btzxd7ocxfdxlsfxtg3vhv4utkgmdd8ij/jf4z7kkfci+7qbcdxaf 520p531e9h4c0ukccqravvbsfbjbx0u6ry/l4glajsaa2vngjjh7gmyjnml1moky bolyvckbmqrx/bqbxi44zi0bcemyxngvvhe+ae3xfmfsydamwqma8ksksxshubrk caccgojjbxsqv/clu5kem4n2/gpfe9zhxvjt3mkvtec0rf3mbqnu6s+npwlvqbkg pt/q5/gkqrfbjyl0ldnz49vasuyvbu3mgf2480or4x+gpwemwdxjaf1pqw4c1waf ryfvjdrlnhtvv+zkcbepyrjxcwenvrvcp8lz8r0hmxwfgevlcnz/gqo= -----end certificate----- subject=/c=ca/st=ontario/l=ottawa/o=sip inspector ltd/ou=development/cn=192.168.1.99 issuer=/c=ca/st=ontario/l=ottawa/o=sip inspector ltd/ou=development/cn=192.168.1.99 --- no client certificate ca names sent --- ssl handshake has read 2309 bytes , written 509 bytes --- new, tlsv1/sslv3, cipher ecdhe-rsa-des-cbc3-sha server public key 4096 bit secure renegotiation supported compression: none expansion: none ssl-session: protocol : tlsv1.2 cipher : ecdhe-rsa-des-cbc3-sha session-id: 5755c781d91cf3177df624ea3599ee430dab4790f325fad9378feae7731c4497 session-id-ctx: master-key: d149008e43e29d658d29418c9f770b3d6018b1d7ca2f493027b0ac7c3ba8e53b572b68c371153568b8988a1e5f351839 key-arg : none psk identity: none psk identity hint: none srp username: none start time: 1465239425 timeout : 300 (sec) verify return code: 0 (ok) --- here's command , output when run app tries connect same in-house tool fails:
carl@ubuntu:~/tls/client$ ./client3 192.168.1.99 enter pem pass phrase: connecting 192.168.1.99:16001 -error certificate @ depth: 0 issuer = /c=ca/st=ontario/l=ottawa/o=sip inspector ltd/ou=development /cn=192.168.1.99 subject = /c=ca/st=ontario/l=ottawa/o=sip inspector ltd/ou=development/cn=192.168.1.99 err 18:self signed certificate ** client3.c:94 error connecting ssl object 139788992993088:error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1180: carl@ubuntu:~/tls/client$ here api's call in app utilize same credentials used s_client command:
ssl_ctx_new(sslv23_method()); ssl_ctx_load_verify_locations(ctx, "../_security/sipinspector/certificate.pem", null) ssl_ctx_use_privatekey_file(ctx, "../_security/client.pem", ssl_filetype_pem) ssl_ctx_set_verify(ctx, ssl_verify_peer, verify_callback); ssl_ctx_set_verify_depth(ctx, 4); ssl_ctx_set_options(ctx, ssl_op_all | ssl_op_no_sslv2); and used openssl verify command double check certificate against (not sure if anything).
any appreciated.
problem solved. turned out certificate check routine checking against incorrect information in received certificate.
