Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to add intermediate certificate chain in SSL_CTX using OpenSSL API
1,092 views
Skip to first unread message
Harshal Talele
Mar 7, 2014, 9:17:00 AM3/7/14
to
Hello,
I am creating a SSL server /client architecture.ret = SSL_CTX_use_certificate_file(sslctx, "/tmp/certs.pem", SSL_FILETYPE_PEM);
if(ret != 1)
{
return false;
}
ret = SSL_CTX_use_PrivateKey_file(sslctx, /tmp/certs.pem, SSL_FILETYPE_PEM);
if(ret != 1)
{
return false;
}
ret = SSL_CTX_check_private_key(sslctx);
if(ret != 1)
{
return false;
}
ret = SSL_CTX_load_verify_locations(sslctx, "/tmp/ca.pem", NULL);
if(ret != 1)
{
return false ;
}
I tried to add these intermediate certifcates from chain.pem in my SSL_CTX cert store to be used at the time of SSL handshake with client.
One of the way was to use "SSL_CTX_use_certificate_chain_file" method
But when I tried using it with above mentioned code ssl handshake failed with following error,
"SSL_write() error - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"
"SSL_write() error - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"
Removing this steps SSL handshake seem to work fine.
Any troubleshooting pointers will be great help.
B. Meeker
Mar 7, 2014, 1:00:50 PM3/7/14
to
Harshal,
Check parameter 2 on SSL_CTX_use_PrivateKey_file(). It should be a pointer to the name of the file that contains the private key, not the certificate file.
As an example on my (working) prototype server I use the following:
// Define whatever ciphers you want. I used AES-128. Client cipher list should match.
#define CIPHER_LIST "AES-128"
if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) Hello,
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Check parameter 2 on SSL_CTX_use_PrivateKey_file(). It should be a pointer to the name of the file that contains the private key, not the certificate file.
As an example on my (working) prototype server I use the following:
// Define whatever ciphers you want. I used AES-128. Client cipher list should match.
#define CIPHER_LIST "AES-128"
if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) Hello,
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Harshal Talele
Mar 8, 2014, 9:56:54 AM3/8/14
to
Thank you for your reply Meer.
In my case cert.pem file contains private key too.
In my case cert.pem file contains private key too.
I wan to understand if I have to be use intermediate certificates in SSL handshake is there any specific way in which we have to populate SSL_CTX structure?
I have tried using SSL_CTX_use_certificate_chain_file() API. Is this the right way?
Viktor Dukhovni
Mar 8, 2014, 3:37:45 PM3/8/14
to
On Sat, Mar 08, 2014 at 08:26:54PM +0530, Harshal Talele wrote:
> In my case cert.pem file contains private key too.
> I wan to understand if I have to be use intermediate certificates in SSL
> handshake is there any specific way in which we have to populate SSL_CTX
> structure?
>
> I have tried using SSL_CTX_use_certificate_chain_file() API. Is this the
> right way?
Yes:
> In my case cert.pem file contains private key too.
> I wan to understand if I have to be use intermediate certificates in SSL
> handshake is there any specific way in which we have to populate SSL_CTX
> structure?
>
> I have tried using SSL_CTX_use_certificate_chain_file() API. Is this the
> right way?
/* XXX: Add robust error handling? :-) */
if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
goto fail;
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
goto fail;
--
Viktor.
Harshal Talele
Mar 10, 2014, 4:08:46 AM3/10/14
to
As a matter of fact with use of with use of SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail with error "
As you have mentioned Victor, I am using SSL_CTX_use_certificate_file() API to read cert.pem which contains server certificate & private key.SSL_METHOD* meth = SSLv23_server_method();
sslctx = SSL_CTX_new(meth);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_cipher_list(sslctx, "HIGH:!DSS:!aNULL:!eNULL@STRENGTH")
SSL_CTX_use_certificate_file(sslctx, "/tmp/certs.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(sslctx, "/tmp/certs.pem", SSL_FILETYPE_PEM);
SSL_CTX_check_private_key(sslctx);
SSL_CTX_use_certificate_chain_file(sslctx, "/tmp/chain.pem");
SSL_CTX_load_verify_locations(sslctx, "/tmp/ca.pem", NULL);
Viktor Dukhovni
Mar 10, 2014, 9:04:51 AM3/10/14
to
On Mon, Mar 10, 2014 at 01:38:46PM +0530, Harshal Talele wrote:
> As a matter of fact with use of with use of
> SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail
You must put all the PEM certificates (leaf certificate and intermediate CAs)
> As a matter of fact with use of with use of
> SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail
in the *same* file. With the leaf (server certificate) first, its issuing
CA second, any issuer for that CA third and so on.
You can also place the private key in the same file, or some other file.
-----BEGIN PRIVATE KEY-----
...server key...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...server cert...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...server cert's issuer: CA1...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...CA1's issuer: CA2...
-----END CERTIFICATE-----
...
If the certificates and the key are in the same file, make sure
the file is not world-readable.
> As you have mentioned Victor, I am using SSL_CTX_use_certificate_file() API
> to read cert.pem which contains server certificate & private key.
> Now I have another file chain.pem which contains only intermediate
> certificates.
CAs. DON'T.
0 new messages