Certificate verification fails on MIPS architecture - Openssl

This is a discussion on Certificate verification fails on MIPS architecture - Openssl ; Hi, I'm running a program using some OpenSSL features for certificate handling on an MIPS architecture (Linksys WRT router with OpenWRT firmware). On an x86 Linux everything works fine, but on the router the certficate verification using X509_verify_cert fails. The ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Certificate verification fails on MIPS architecture

  1. Certificate verification fails on MIPS architecture

    Hi,

    I'm running a program using some OpenSSL features for certificate
    handling on an MIPS architecture (Linksys WRT router with OpenWRT
    firmware). On an x86 Linux everything works fine, but on the router
    the certficate verification using X509_verify_cert fails. The
    certificate used matches the CA cert definitely. The setup that works
    on the x86 Linux is exactly the same.
    Are there any known problem with OpenSSL on MIPS platforms or running
    under OpenWRT. I've used the libs from OpenWRT SDK for compiling.

    Thanks in advance

    Till Elsner
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Certificate verification fails on MIPS architecture

    On Thu May 22 2008 16:59, Till Elsner wrote:
    > Hi,
    >
    > I'm running a program using some OpenSSL features for certificate
    > handling on an MIPS architecture (Linksys WRT router with OpenWRT
    > firmware). On an x86 Linux everything works fine, but on the router
    > the certficate verification using X509_verify_cert fails. The
    > certificate used matches the CA cert definitely. The setup that works
    > on the x86 Linux is exactly the same.
    > Are there any known problem with OpenSSL on MIPS platforms or running
    > under OpenWRT. I've used the libs from OpenWRT SDK for compiling.
    >


    Is your MIPS machine running big endian? That might explain it.

    Mike
    > Thanks in advance
    >
    > Till Elsner
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: Certificate verification fails on MIPS architecture

    Am 23.05.2008 um 05:44 schrieb Michael S. Zick:

    > On Thu May 22 2008 16:59, Till Elsner wrote:
    >> Hi,
    >>
    >> I'm running a program using some OpenSSL features for certificate
    >> handling on an MIPS architecture (Linksys WRT router with OpenWRT
    >> firmware). On an x86 Linux everything works fine, but on the router
    >> the certficate verification using X509_verify_cert fails. The
    >> certificate used matches the CA cert definitely. The setup that works
    >> on the x86 Linux is exactly the same.
    >> Are there any known problem with OpenSSL on MIPS platforms or running
    >> under OpenWRT. I've used the libs from OpenWRT SDK for compiling.
    >>

    >
    > Is your MIPS machine running big endian? That might explain it.


    Possible. Now what exactly does that explain? How can I get OpenSSL to
    validate certificates "big endian style"?

    I'd be thankful for any explaination.
    Thanks

    Till

    >
    >
    > Mike
    >> Thanks in advance
    >>
    >> Till Elsner
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://
    >> www.openssl.org
    >> User Support Mailing List openssl-
    >> users@openssl.org
    >> Automated List Manager
    >> majordomo@openssl.org
    >>
    >>

    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: Certificate verification fails on MIPS architecture

    On Fri May 23 2008 16:24, Till Elsner wrote:
    > Am 23.05.2008 um 05:44 schrieb Michael S. Zick:
    >
    > > On Thu May 22 2008 16:59, Till Elsner wrote:
    > >> Hi,
    > >>
    > >> I'm running a program using some OpenSSL features for certificate
    > >> handling on an MIPS architecture (Linksys WRT router with OpenWRT
    > >> firmware). On an x86 Linux everything works fine, but on the router
    > >> the certficate verification using X509_verify_cert fails. The
    > >> certificate used matches the CA cert definitely. The setup that works
    > >> on the x86 Linux is exactly the same.
    > >> Are there any known problem with OpenSSL on MIPS platforms or running
    > >> under OpenWRT. I've used the libs from OpenWRT SDK for compiling.
    > >>

    > >
    > > Is your MIPS machine running big endian? That might explain it.

    >
    > Possible. Now what exactly does that explain? How can I get OpenSSL to
    > validate certificates "big endian style"?
    >
    > I'd be thankful for any explaination.
    >


    Not able to help here. No MIPS, my ARM systems are running little endian
    and the PA-RISC system (big endian) is too old/slow to be of any help.

    You could start by determining the version of the libraries you are using
    and then determine if they are current, if not, check for endian problems
    that have already been fixed.

    If you have been following the list, you will have seen reports of people
    who regularly compile on PA-RISC with the current releases.

    Mike
    Mike
    > Thanks
    >
    > Till
    >
    > >
    > >
    > > Mike
    > >> Thanks in advance
    > >>
    > >> Till Elsner
    > >> __________________________________________________ ____________________
    > >> OpenSSL Project http://
    > >> www.openssl.org
    > >> User Support Mailing List openssl-
    > >> users@openssl.org
    > >> Automated List Manager
    > >> majordomo@openssl.org
    > >>
    > >>

    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org

    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: Certificate verification fails on MIPS architecture

    Till Elsner schrieb:
    > Hi,
    >
    > I'm running a program using some OpenSSL features for certificate
    > handling on an MIPS architecture (Linksys WRT router with OpenWRT
    > firmware). On an x86 Linux everything works fine, but on the router
    > the certficate verification using X509_verify_cert fails. The
    > certificate used matches the CA cert definitely. The setup that works
    > on the x86 Linux is exactly the same.
    > Are there any known problem with OpenSSL on MIPS platforms or running
    > under OpenWRT. I've used the libs from OpenWRT SDK for compiling.

    I am not aware of any specific problems of OpenSSL on MIPS platforms. As
    long as OpenSSL is configured correctly (big or little endian)
    everything should work just out of the box.

    Best regards,
    Lutz
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  6. Re: Certificate verification fails on MIPS architecture

    Ok, after verifying what platform I'm actually compiling for, it's
    definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
    So what else could be the problem here?

    Am 24.05.2008 um 22:23 schrieb Lutz Jšnicke:

    > Till Elsner schrieb:
    >> Hi,
    >>
    >> I'm running a program using some OpenSSL features for certificate
    >> handling on an MIPS architecture (Linksys WRT router with OpenWRT
    >> firmware). On an x86 Linux everything works fine, but on the router
    >> the certficate verification using X509_verify_cert fails. The
    >> certificate used matches the CA cert definitely. The setup that
    >> works on the x86 Linux is exactly the same.
    >> Are there any known problem with OpenSSL on MIPS platforms or
    >> running under OpenWRT. I've used the libs from OpenWRT SDK for
    >> compiling.

    > I am not aware of any specific problems of OpenSSL on MIPS
    > platforms. As long as OpenSSL is configured correctly (big or little
    > endian) everything should work just out of the box.
    >
    > Best regards,
    > Lutz
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  7. Re: Certificate verification fails on MIPS architecture

    Till Elsner wrote:
    > Ok, after verifying what platform I'm actually compiling for, it's
    > definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
    > So what else could be the problem here?
    >
    > Am 24.05.2008 um 22:23 schrieb Lutz Jšnicke:
    >> I am not aware of any specific problems of OpenSSL on MIPS platforms.
    >> As long as OpenSSL is configured correctly (big or little endian)
    >> everything should work just out of the box.

    As I already wrote: I am not aware of any specific problems in MIPS.
    Having this said, your problem report does not really help much in
    tracking down the problem. It reads: Hey, it fails, what might be wrong?
    Without any more details we cannot help you. What exactly happens? Your
    application does crash?
    When verifying certificates, against which CAs? Is your filesystem
    layout containing the CA certificates the same?

    Best regards,
    Lutz
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  8. Re: Certificate verification fails on MIPS architecture


    Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:

    > Till Elsner wrote:
    >> Ok, after verifying what platform I'm actually compiling for, it's
    >> definitely little-endian (Linksys WRT54G running on Broadcom
    >> BCM4712).
    >> So what else could be the problem here?
    >>
    >> Am 24.05.2008 um 22:23 schrieb Lutz Jšnicke:
    >>> I am not aware of any specific problems of OpenSSL on MIPS
    >>> platforms.
    >>> As long as OpenSSL is configured correctly (big or little endian)
    >>> everything should work just out of the box.

    > As I already wrote: I am not aware of any specific problems in MIPS.
    > Having this said, your problem report does not really help much in
    > tracking down the problem. It reads: Hey, it fails, what might be
    > wrong?
    > Without any more details we cannot help you. What exactly happens?
    > Your
    > application does crash?
    > When verifying certificates, against which CAs? Is your filesystem
    > layout containing the CA certificates the same?


    Ok, I see this was really not very detailed and not very helpful for
    finding a solution. So what happens is the following:
    I have a self-signed certificate used as CA and some certificates
    signed by this CA. Checking the signature with OpenSSL on the command
    line verifies the certificates correctly. Now in the software I've
    build, the certificates get verified agains my CA using
    X509_verify_cert (which should work quite similar to what OpenSSL does
    on the command line, I think). Now when I run the program on standard
    linux desktop machines (tried on debian distros), everything works
    fine, the certificates get verified just like they should. But when I
    compile the program for a router and run it there, it also starts, but
    the verification of the certificates fails. No crashes, no error
    messages saying something is wrong with OpenSSL, just the failing
    verification. The router is a Linksys WRT54G running OpenWRT 7.09.

    It would be FANTASTIC if anyone could assist here, because I really
    need this for my bachelor thesis and my deadline is getting closer and
    closer...

    Thanks in advance
    Till

    >
    >
    > Best regards,
    > Lutz
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  9. Re: Certificate verification fails on MIPS architecture

    Till Elsner wrote:
    >
    > Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
    >
    >> Till Elsner wrote:
    >>> Ok, after verifying what platform I'm actually compiling for, it's
    >>> definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
    >>> So what else could be the problem here?
    >>>
    >>> Am 24.05.2008 um 22:23 schrieb Lutz Jšnicke:
    >>>> I am not aware of any specific problems of OpenSSL on MIPS platforms.
    >>>> As long as OpenSSL is configured correctly (big or little endian)
    >>>> everything should work just out of the box.

    >> As I already wrote: I am not aware of any specific problems in MIPS.
    >> Having this said, your problem report does not really help much in
    >> tracking down the problem. It reads: Hey, it fails, what might be wrong?
    >> Without any more details we cannot help you. What exactly happens? Your
    >> application does crash?
    >> When verifying certificates, against which CAs? Is your filesystem
    >> layout containing the CA certificates the same?

    >
    > Ok, I see this was really not very detailed and not very helpful for
    > finding a solution. So what happens is the following:
    > I have a self-signed certificate used as CA and some certificates
    > signed by this CA. Checking the signature with OpenSSL on the command
    > line verifies the certificates correctly. Now in the software I've
    > build, the certificates get verified agains my CA using
    > X509_verify_cert (which should work quite similar to what OpenSSL does
    > on the command line, I think). Now when I run the program on standard
    > linux desktop machines (tried on debian distros), everything works
    > fine, the certificates get verified just like they should. But when I
    > compile the program for a router and run it there, it also starts, but
    > the verification of the certificates fails. No crashes, no error
    > messages saying something is wrong with OpenSSL, just the failing
    > verification. The router is a Linksys WRT54G running OpenWRT 7.09.

    If your application is using X509_verify_cert() it uses a X509_STORE_CTX
    that must be initialized with the certificates to verify against and can
    be initialized with a verification callback function that is fed with
    the error codes and finally decides about whether a certificate is
    accepted or not.
    Unfortunately there is no manual page for X509_verify_cert(), but it is
    the same function that is used internally for SSL certificate
    verification and the behaviour and the callback function are described
    in the SSL_CTX_set_verify() manpage.#
    A good source of information might be ssl/ssl_cert.c:ssl_verify_cert_chain()

    Best regards,
    Lutz
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  10. Re: Certificate verification fails on MIPS architecture

    I tried to track down the problem, but it still seems that , when it
    comes to certificate verification, on the OpenWRT fails what works on
    a standard linux desktop PC. I wrote a short program that validates
    certificates, that I'll append to this mail. If someone has some
    MIPSEL platform available please verify my results since I really need
    to know if this errors is caused by a programming mistake on my side,
    by some bug in OpenSSL or simply by a lack of understanding. I used
    the OpenWRT's SDK for cross compilation (the whiterussian one, because
    the Kamikaze version doesn't include OpenSSL). The problem still
    existing is that it seems to work on both platform, but on the MIPSEL
    it's not validating (valid) certificate, while it does on Linux.

    Thanks in advance
    Till

    --- BEGIN CERTTEST.C ---

    /*
    * verifies a certificate (PEM format) using a CA's certificate
    *
    * compile: gcc certtest.c -o certtest -lssl -lcrypto
    *
    * place the resulting executable into the same directory as the
    certificate
    * files:
    * - certificate: client.pem
    * - CA file: cacert.pem
    *
    */

    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include

    char *cert_file, *ca_file;
    FILE *cert_fp;
    X509 *x509;
    X509_STORE_CTX *x509_ctx;
    X509_STORE *x509_store;
    X509_LOOKUP *x509_lookup;
    X509_NAME *x509_name;

    int main() {
    cert_file = "client.pem";
    ca_file = "cacert.pem";

    SSL_library_init();
    ERR_load_crypto_strings();

    // open certificate file
    if (!(cert_fp = fopen(cert_file, "r"))) {
    printf("ERR: Error opening certificate file: %s. Exiting.\n",
    strerror(errno));
    exit(2);
    } else{
    printf("Certificate file opened.\n");
    }
    // read certificate
    if (!(x509 = PEM_read_X509(cert_fp, NULL, NULL, NULL))) {
    printf("ERR: Error reading certificate from file: %s\n",
    ERR_error_string(ERR_get_error(), NULL));
    exit(2);
    } else {
    printf("Certificate read.\n");
    }
    fclose(cert_fp);

    // create the cerificate storing object
    if (!(x509_store = X509_STORE_new())) {
    printf("ERR: Error creating X509_STORE object: %s. Exiting.\n",
    ERR_error_string(ERR_get_error(), NULL));
    exit(2);
    } else {
    printf("Certificate storing object created.\n");
    }
    // add CA attributes to X509_STORE object
    if (X509_STORE_load_locations(x509_store, ca_file, NULL) != 1) {
    printf("ERR: Error loading CA file: %s. Exiting.\n",
    ERR_error_string(ERR_get_error(), NULL));
    exit(2);
    } else {
    printf("CA certificate added to storing object.\n");
    }
    if (!(x509_lookup = X509_STORE_add_lookup(x509_store,
    X509_LOOKUP_file()))) {
    printf("ERR: Error creating X509 lookup object: %s. Exiting.\n",
    ERR_error_string(ERR_get_error(), NULL));
    exit(2);
    } else {
    printf("X509 lookup object created.\n");
    }
    // create and initialize X509 vertification context
    if (!(x509_ctx = X509_STORE_CTX_new())) {
    printf("ERR: Error creating X509 verification context, %s. Exiting.
    \n", ERR_error_string(ERR_get_error(), NULL));
    exit(2);
    } else {
    printf("X509 verification context object created.\n");
    }
    if (X509_STORE_CTX_init(x509_ctx, x509_store, x509, NULL) != 1) {
    printf("ERR: Error initializing X509 verification context: %s.
    Exiting\n.", ERR_error_string(ERR_get_error(), NULL));
    exit(2);
    } else {
    printf("X509 verification context object initialized.\n");
    }

    // verify certificate
    if (X509_verify_cert(x509_ctx) != 1) {
    printf("Error: Certificate invalid!\n");
    exit(1);
    } else {
    printf("Certificate checked and validated!\n");
    exit(0);
    }
    }

    --- END CERTTEST.C ---

    Am 26.05.2008 um 15:40 schrieb Lutz Jaenicke:

    > Till Elsner wrote:
    >>
    >> Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
    >>
    >>> Till Elsner wrote:
    >>>> Ok, after verifying what platform I'm actually compiling for, it's
    >>>> definitely little-endian (Linksys WRT54G running on Broadcom
    >>>> BCM4712).
    >>>> So what else could be the problem here?
    >>>>
    >>>> Am 24.05.2008 um 22:23 schrieb Lutz Jšnicke:
    >>>>> I am not aware of any specific problems of OpenSSL on MIPS
    >>>>> platforms.
    >>>>> As long as OpenSSL is configured correctly (big or little endian)
    >>>>> everything should work just out of the box.
    >>> As I already wrote: I am not aware of any specific problems in MIPS.
    >>> Having this said, your problem report does not really help much in
    >>> tracking down the problem. It reads: Hey, it fails, what might be
    >>> wrong?
    >>> Without any more details we cannot help you. What exactly happens?
    >>> Your
    >>> application does crash?
    >>> When verifying certificates, against which CAs? Is your filesystem
    >>> layout containing the CA certificates the same?

    >>
    >> Ok, I see this was really not very detailed and not very helpful for
    >> finding a solution. So what happens is the following:
    >> I have a self-signed certificate used as CA and some certificates
    >> signed by this CA. Checking the signature with OpenSSL on the command
    >> line verifies the certificates correctly. Now in the software I've
    >> build, the certificates get verified agains my CA using
    >> X509_verify_cert (which should work quite similar to what OpenSSL
    >> does
    >> on the command line, I think). Now when I run the program on standard
    >> linux desktop machines (tried on debian distros), everything works
    >> fine, the certificates get verified just like they should. But when I
    >> compile the program for a router and run it there, it also starts,
    >> but
    >> the verification of the certificates fails. No crashes, no error
    >> messages saying something is wrong with OpenSSL, just the failing
    >> verification. The router is a Linksys WRT54G running OpenWRT 7.09.

    > If your application is using X509_verify_cert() it uses a
    > X509_STORE_CTX
    > that must be initialized with the certificates to verify against and
    > can
    > be initialized with a verification callback function that is fed with
    > the error codes and finally decides about whether a certificate is
    > accepted or not.
    > Unfortunately there is no manual page for X509_verify_cert(), but it
    > is
    > the same function that is used internally for SSL certificate
    > verification and the behaviour and the callback function are described
    > in the SSL_CTX_set_verify() manpage.#
    > A good source of information might be ssl/
    > ssl_cert.c:ssl_verify_cert_chain()
    >
    > Best regards,
    > Lutz
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  11. Re: Certificate verification fails on MIPS architecture

    Till Elsner wrote:
    > I tried to track down the problem, but it still seems that , when it
    > comes to certificate verification, on the OpenWRT fails what works on
    > a standard linux desktop PC. I wrote a short program that validates
    > certificates, that I'll append to this mail. If someone has some
    > MIPSEL platform available please verify my results since I really need
    > to know if this errors is caused by a programming mistake on my side,
    > by some bug in OpenSSL or simply by a lack of understanding. I used
    > the OpenWRT's SDK for cross compilation (the whiterussian one, because
    > the Kamikaze version doesn't include OpenSSL). The problem still
    > existing is that it seems to work on both platform, but on the MIPSEL
    > it's not validating (valid) certificate, while it does on Linux.


    Your example program is still missing the verify_callback(). The
    verify_callback() is called for each certificate in the chain that is
    checked. Once with "success" if no problem was encountered and if
    problems with the validation are encountered it is called so that the
    respective error can be treated (maybe just printed). Without the
    verify_callback you will never find out why the verification fails.
    Having this said, there is another threat being discussed about OpenWRT
    that indicates that at least non-standard configurations are using in
    the compilation of the toolkit (-no-err in the case mentioned to save
    the memory for the error strings). I am working in an embedded
    environment myself and we once had a problem when we disabled an
    algorithm (to save memory) at build time that later on was needed for
    certificate verification because some certificates were signed with it.

    Best regards,
    Lutz
    >
    > Thanks in advance
    > Till
    >
    > --- BEGIN CERTTEST.C ---
    >
    > /*
    > * verifies a certificate (PEM format) using a CA's certificate
    > *
    > * compile: gcc certtest.c -o certtest -lssl -lcrypto
    > *
    > * place the resulting executable into the same directory as the
    > certificate
    > * files:
    > * - certificate: client.pem
    > * - CA file: cacert.pem
    > *
    > */
    >
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    >
    > char *cert_file, *ca_file;
    > FILE *cert_fp;
    > X509 *x509;
    > X509_STORE_CTX *x509_ctx;
    > X509_STORE *x509_store;
    > X509_LOOKUP *x509_lookup;
    > X509_NAME *x509_name;
    >
    > int main() {
    > cert_file = "client.pem";
    > ca_file = "cacert.pem";
    >
    > SSL_library_init();
    > ERR_load_crypto_strings();
    >
    > // open certificate file
    > if (!(cert_fp = fopen(cert_file, "r"))) {
    > printf("ERR: Error opening certificate file: %s. Exiting.\n",
    > strerror(errno));
    > exit(2);
    > } else{
    > printf("Certificate file opened.\n");
    > }
    > // read certificate
    > if (!(x509 = PEM_read_X509(cert_fp, NULL, NULL, NULL))) {
    > printf("ERR: Error reading certificate from file: %s\n",
    > ERR_error_string(ERR_get_error(), NULL));
    > exit(2);
    > } else {
    > printf("Certificate read.\n");
    > }
    > fclose(cert_fp);
    >
    > // create the cerificate storing object
    > if (!(x509_store = X509_STORE_new())) {
    > printf("ERR: Error creating X509_STORE object: %s.
    > Exiting.\n", ERR_error_string(ERR_get_error(), NULL));
    > exit(2);
    > } else {
    > printf("Certificate storing object created.\n");
    > }
    > // add CA attributes to X509_STORE object
    > if (X509_STORE_load_locations(x509_store, ca_file, NULL) != 1) {
    > printf("ERR: Error loading CA file: %s. Exiting.\n",
    > ERR_error_string(ERR_get_error(), NULL));
    > exit(2);
    > } else {
    > printf("CA certificate added to storing object.\n");
    > }
    > if (!(x509_lookup = X509_STORE_add_lookup(x509_store,
    > X509_LOOKUP_file()))) {
    > printf("ERR: Error creating X509 lookup object: %s.
    > Exiting.\n", ERR_error_string(ERR_get_error(), NULL));
    > exit(2);
    > } else {
    > printf("X509 lookup object created.\n");
    > }
    > // create and initialize X509 vertification context
    > if (!(x509_ctx = X509_STORE_CTX_new())) {
    > printf("ERR: Error creating X509 verification context, %s.
    > Exiting.\n", ERR_error_string(ERR_get_error(), NULL));
    > exit(2);
    > } else {
    > printf("X509 verification context object created.\n");
    > }
    > if (X509_STORE_CTX_init(x509_ctx, x509_store, x509, NULL) != 1) {
    > printf("ERR: Error initializing X509 verification context: %s.
    > Exiting\n.", ERR_error_string(ERR_get_error(), NULL));
    > exit(2);
    > } else {
    > printf("X509 verification context object initialized.\n");
    > }
    >
    > // verify certificate
    > if (X509_verify_cert(x509_ctx) != 1) {
    > printf("Error: Certificate invalid!\n");
    > exit(1);
    > } else {
    > printf("Certificate checked and validated!\n");
    > exit(0);
    > }
    > }
    >
    > --- END CERTTEST.C ---
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  12. How to load a chain of certificates ?

    Hello everyone,

    I have to load a chain of x509v3 certificates which is only one file,
    like this one (i cut it):

    -----BEGIN CERTIFICATE-----
    MIIEjjC[...]7DjKlgcOcx
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEfzC[...]ds0pfH
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEeT[...]AxQv6oN
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEdjC[...]1zwDx
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEcjC[...]WziILI=
    -----END CERTIFICATE-----

    So, how can i load it thanks to openssl ?

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  13. Re: How to load a chain of certificates ?


    Hi Pierre,

    If you are using this certificate chain for an SSL connection, use
    SSL_CTX_use_certificate_chain_file which does precisely what you are
    asking. If you are just looking for a way to load this chain for other
    uses, the source code for that function should help you out.

    take a look at the man page:
    http://www.openssl.org/docs/ssl/SSL_...rtificate.html

    - Ariel

    delcour.pierre wrote:
    > Hello everyone,
    >
    > I have to load a chain of x509v3 certificates which is only one file,
    > like this one (i cut it):
    >
    > -----BEGIN CERTIFICATE-----
    > MIIEjjC[...]7DjKlgcOcx
    > -----END CERTIFICATE-----
    > -----BEGIN CERTIFICATE-----
    > MIIEfzC[...]ds0pfH
    > -----END CERTIFICATE-----
    > -----BEGIN CERTIFICATE-----
    > MIIEeT[...]AxQv6oN
    > -----END CERTIFICATE-----
    > -----BEGIN CERTIFICATE-----
    > MIIEdjC[...]1zwDx
    > -----END CERTIFICATE-----
    > -----BEGIN CERTIFICATE-----
    > MIIEcjC[...]WziILI=
    > -----END CERTIFICATE-----
    >
    > So, how can i load it thanks to openssl ?
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >



    --
    - Ariel Salomon / Senior Software Engineer
    Real-Time Innovations (RTI) / www.rti.com
    408 990-7439 / ariel@rti.com

    RTI - The Real-Time Middleware Experts


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  14. Re: How to load a chain of certificates ?

    Hello,

    Ariel Salomon wrote:
    >
    > Hi Pierre,
    >
    > If you are using this certificate chain for an SSL connection, use
    > SSL_CTX_use_certificate_chain_file which does precisely what you are
    > asking. If you are just looking for a way to load this chain for
    > other uses, the source code for that function should help you out.
    >
    > take a look at the man page:
    > http://www.openssl.org/docs/ssl/SSL_...rtificate.html
    >
    > - Ariel
    >
    > delcour.pierre wrote:
    >> Hello everyone,
    >>
    >> I have to load a chain of x509v3 certificates which is only one file,
    >> like this one (i cut it):
    >>
    >> -----BEGIN CERTIFICATE-----
    >> MIIEjjC[...]7DjKlgcOcx
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEfzC[...]ds0pfH
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEeT[...]AxQv6oN
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEdjC[...]1zwDx
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEcjC[...]WziILI=
    >> -----END CERTIFICATE-----
    >>
    >> So, how can i load it thanks to openssl ?
    >>
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org

    Thank's for your answer. I took a look at this page, and i wrote this code :

    SSL_CTX *ctx = NULL;
    ctx = SSL_CTX_new(SSLv23_method());
    cout << SSL_CTX_use_certificate_chain_file(ctx,
    "/home/pierred/chain/cert.chain.pem) << endl;

    I only got a segmentation fault. After looking at the source code of the
    SSL_CTX_use_certificate_chain_file, i found that the seg. fault is due
    to this line :
    ret=SSL_CTX_use_certificate(ctx,x);

    I thought, i have to use another function instead of this one
    "SSLv23_method()". I try SSLv3_method(), but no change.

    I 'm using openssl 0.9.8g on kubuntu 8.04.

    Thank's in advance,
    pierre delcour.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  15. Re: How to load a chain of certificates ?

    Hello,

    Ariel Salomon wrote:
    >
    > Hi Pierre,
    >
    > If you are using this certificate chain for an SSL connection, use
    > SSL_CTX_use_certificate_chain_file which does precisely what you are
    > asking. If you are just looking for a way to load this chain for
    > other uses, the source code for that function should help you out.
    >
    > take a look at the man page:
    > http://www.openssl.org/docs/ssl/SSL_...rtificate.html
    >
    > - Ariel
    >
    > delcour.pierre wrote:
    >> Hello everyone,
    >>
    >> I have to load a chain of x509v3 certificates which is only one file,
    >> like this one (i cut it):
    >>
    >> -----BEGIN CERTIFICATE-----
    >> MIIEjjC[...]7DjKlgcOcx
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEfzC[...]ds0pfH
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEeT[...]AxQv6oN
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEdjC[...]1zwDx
    >> -----END CERTIFICATE-----
    >> -----BEGIN CERTIFICATE-----
    >> MIIEcjC[...]WziILI=
    >> -----END CERTIFICATE-----
    >>
    >> So, how can i load it thanks to openssl ?
    >>
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org

    Thank's for your answer. I took a look at this page, and i wrote this
    code :

    SSL_CTX *ctx = NULL;
    ctx = SSL_CTX_new(SSLv23_method());
    cout << SSL_CTX_use_certificate_chain_file(ctx,
    "/home/pierred/chain/cert.chain.pem) << endl;

    I only got a segmentation fault. After looking at the source code of the
    SSL_CTX_use_certificate_chain_file, i found that the seg. fault is due
    to this line :
    ret=SSL_CTX_use_certificate(ctx,x);

    I thought, i have to use another function instead of this one
    "SSLv23_method()". I try SSLv3_method(), but no change.

    I 'm using openssl 0.9.8g on kubuntu 8.04.

    Thank's in advance,
    pierre delcour.


  16. Re: How to load a chain of certificates ?

    delcour.pierre wrote:
    > Hello,
    >
    > Ariel Salomon wrote:
    >>
    >> Hi Pierre,
    >>
    >> If you are using this certificate chain for an SSL connection, use
    >> SSL_CTX_use_certificate_chain_file which does precisely what you are
    >> asking. If you are just looking for a way to load this chain for
    >> other uses, the source code for that function should help you out.
    >>
    >> take a look at the man page:
    >> http://www.openssl.org/docs/ssl/SSL_...rtificate.html
    >>
    >> - Ariel
    >>
    >> delcour.pierre wrote:
    >>> Hello everyone,
    >>>
    >>> I have to load a chain of x509v3 certificates which is only one file,
    >>> like this one (i cut it):
    >>>
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEjjC[...]7DjKlgcOcx
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEfzC[...]ds0pfH
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEeT[...]AxQv6oN
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEdjC[...]1zwDx
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEcjC[...]WziILI=
    >>> -----END CERTIFICATE-----
    >>>
    >>> So, how can i load it thanks to openssl ?
    >>>
    >>> __________________________________________________ ____________________
    >>> OpenSSL Project http://www.openssl.org
    >>> User Support Mailing List openssl-users@openssl.org
    >>> Automated List Manager majordomo@openssl.org

    > Thank's for your answer. I took a look at this page, and i wrote this
    > code :
    >
    > SSL_CTX *ctx = NULL;
    > ctx = SSL_CTX_new(SSLv23_method());
    > cout << SSL_CTX_use_certificate_chain_file(ctx,
    > "/home/pierred/chain/cert.chain.pem) << endl;
    >
    > I only got a segmentation fault. After looking at the source code of
    > the SSL_CTX_use_certificate_chain_file, i found that the seg. fault is
    > due to this line :
    > ret=SSL_CTX_use_certificate(ctx,x);
    >
    > I thought, i have to use another function instead of this one
    > "SSLv23_method()". I try SSLv3_method(), but no change.
    >
    > I 'm using openssl 0.9.8g on kubuntu 8.04.
    >
    > Thank's in advance,
    > pierre delcour.

    Hello,

    I still looking for a solution of this problem...

    Thank's in advance
    pierre delcour



  17. Re: How to load a chain of certificates ?

    delcour.pierre wrote:
    > Hello,
    >
    > Ariel Salomon wrote:
    >>
    >> Hi Pierre,
    >>
    >> If you are using this certificate chain for an SSL connection, use
    >> SSL_CTX_use_certificate_chain_file which does precisely what you are
    >> asking. If you are just looking for a way to load this chain for
    >> other uses, the source code for that function should help you out.
    >>
    >> take a look at the man page:
    >> http://www.openssl.org/docs/ssl/SSL_...rtificate.html
    >>
    >> - Ariel
    >>
    >> delcour.pierre wrote:
    >>> Hello everyone,
    >>>
    >>> I have to load a chain of x509v3 certificates which is only one file,
    >>> like this one (i cut it):
    >>>
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEjjC[...]7DjKlgcOcx
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEfzC[...]ds0pfH
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEeT[...]AxQv6oN
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEdjC[...]1zwDx
    >>> -----END CERTIFICATE-----
    >>> -----BEGIN CERTIFICATE-----
    >>> MIIEcjC[...]WziILI=
    >>> -----END CERTIFICATE-----
    >>>
    >>> So, how can i load it thanks to openssl ?
    >>>
    >>> __________________________________________________ ____________________
    >>> OpenSSL Project http://www.openssl.org
    >>> User Support Mailing List openssl-users@openssl.org
    >>> Automated List Manager majordomo@openssl.org

    > Thank's for your answer. I took a look at this page, and i wrote this
    > code :
    >
    > SSL_CTX *ctx = NULL;
    > ctx = SSL_CTX_new(SSLv23_method());
    > cout << SSL_CTX_use_certificate_chain_file(ctx,
    > "/home/pierred/chain/cert.chain.pem) << endl;
    >
    > I only got a segmentation fault. After looking at the source code of
    > the SSL_CTX_use_certificate_chain_file, i found that the seg. fault is
    > due to this line :
    > ret=SSL_CTX_use_certificate(ctx,x);
    >
    > I thought, i have to use another function instead of this one
    > "SSLv23_method()". I try SSLv3_method(), but no change.
    >
    > I 'm using openssl 0.9.8g on kubuntu 8.04.
    >
    > Thank's in advance,
    > pierre delcour.

    Answer :

    SSL_CTX *ctx = NULL;
    if (!SSL_library_init())
    return -1;

    if (!(ctx = SSL_CTX_new(TLSv1_method ())))
    return -1;

    if (SSL_CTX_set_default_verify_paths(ctx) != 1)
    return -1;

    if ( SSL_CTX_use_certificate_chain_file(ctx, chain_filename) != 1)
    return -1;

    All the certificates are in the stack_of(X509)* : ctx->extra_certs

    Have a nice day


+ Reply to Thread