SSL_VERIFY_PEER
293 views
Skip to first unread message
Robert
Apr 18, 2018, 7:58:54 AM4/18/18
to libstrophe
I'm updating a Windows XMPP client that uses libstrophe. There's been
a change to tls_new(xmpp_conn_t *conn) in tls_openssl.c since I first
wrote this client that is causing me some grief, specifically:
SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL);
has been changed to:
/* Trust server's certificate when user sets the flag explicitly. */
mode = conn->tls_trust ? SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_set_verify(tls->ssl, mode, 0);
I can see the benefit of SSL_VERIFY_PEER, but I don't know how to work it, because with a bit of googling it would seem that SSL_VERIFY_PEER requires a certificate file (cacert.pem) somewhere on the client machine, a file that can be obtained from https://curl.haxx.se/docs/caextract.html. Is my understanding correct? If so, how do I specify the file pathname using libstrophe? How often does that file need to be updated? Is there a better source for this file? If I've got this wrong, what should I be doing to allow SSL to verify the certificate?
Alternatively I could forego the benefit, and go back to using SSL_VERIFY_NONE. I can see the flag that "the user must set explicitly" is held in xmpp_conn_t::tls_trust, but how do I set that flag from the libstrophe public API? Yes, I could just edit the libstrophe code and compile, but I would rather do this the proper way, in my client, if there is a proper way.
- robert
SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL);
has been changed to:
/* Trust server's certificate when user sets the flag explicitly. */
mode = conn->tls_trust ? SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_set_verify(tls->ssl, mode, 0);
I can see the benefit of SSL_VERIFY_PEER, but I don't know how to work it, because with a bit of googling it would seem that SSL_VERIFY_PEER requires a certificate file (cacert.pem) somewhere on the client machine, a file that can be obtained from https://curl.haxx.se/docs/caextract.html. Is my understanding correct? If so, how do I specify the file pathname using libstrophe? How often does that file need to be updated? Is there a better source for this file? If I've got this wrong, what should I be doing to allow SSL to verify the certificate?
Alternatively I could forego the benefit, and go back to using SSL_VERIFY_NONE. I can see the flag that "the user must set explicitly" is held in xmpp_conn_t::tls_trust, but how do I set that flag from the libstrophe public API? Yes, I could just edit the libstrophe code and compile, but I would rather do this the proper way, in my client, if there is a proper way.
- robert
Dmitry Podgorny
Apr 22, 2018, 4:40:51 AM4/22/18
to libstrophe
Hello,
To control all possible flags you need to use xmpp_conn_set_flags() (see examples/basic.c). It must be called before xmpp_connect_client(). Also all flags are preserved during reconnect since v0.9.0. The flag you look for is XMPP_CONN_FLAG_TRUST_TLS.
As far as I understand openssl validates certificate chain down to root certificates and you don't have to provide additional info for that. I'm not expert in this topic though.
-Dmitry
To control all possible flags you need to use xmpp_conn_set_flags() (see examples/basic.c). It must be called before xmpp_connect_client(). Also all flags are preserved during reconnect since v0.9.0. The flag you look for is XMPP_CONN_FLAG_TRUST_TLS.
As far as I understand openssl validates certificate chain down to root certificates and you don't have to provide additional info for that. I'm not expert in this topic though.
-Dmitry
Robert
Apr 26, 2018, 10:06:23 AM4/26/18
to libstrophe
Thanks, Dmitry, setting flag XMPP_CONN_FLAG_TRUST_TLS avoids the need to hack the libstrophe code to make things work.
Without the flag (or the hack), the client is unable to connect to the server, and the log messages are:
xmpp DEBUG proceeding with TLS
tls DEBUG Certificate verification FAILED
tls DEBUG error=1 errno=2
tls DEBUG error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
conn DEBUG Couldn't start TLS! error -3 tls_error 1
conn DEBUG SENT: </stream:stream>
xmpp DEBUG Send error occurred, disconnecting.
xmpp DEBUG Closing socket.
When I google "error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed", the results indicate the need to provide a local .pem file somewhere, somehow.
Without the flag (or the hack), the client is unable to connect to the server, and the log messages are:
xmpp DEBUG proceeding with TLS
tls DEBUG Certificate verification FAILED
tls DEBUG error=1 errno=2
tls DEBUG error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
conn DEBUG Couldn't start TLS! error -3 tls_error 1
conn DEBUG SENT: </stream:stream>
xmpp DEBUG Send error occurred, disconnecting.
xmpp DEBUG Closing socket.
When I google "error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed", the results indicate the need to provide a local .pem file somewhere, somehow.
Reply all
Reply to author
Forward
0 new messages