I'm trying to verify certificate from a CA file and it's working pretty good:
SL_CTX_load_verify_locations(ctx, trusted_ca.c_str(), nullptr)
...
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
In such a situation, it checks that the signature does indeed match the CA but it does not verify the domain.
How verify_callback should look? How do I check within the function verify_callback what is the domain?
Related
We are writing a new server/client app and need to Verify self-signed certificates in OpenSSL 1.1.0 where CN field isn't important.
I tried to do the following but it doesn't seem to have an effect:
X509_VERIFY_PARAM *param = NULL;
param = SSL_get0_param(sslo.ssl);
X509_VERIFY_PARAM_set1_host(param, nullptr, 0);
How can I effectivly ignore all verification of this field?
Update after Shane's answer:
I tried setting verify_callback with SSL_CTX_set_verify .
In the callback I called X509_STORE_CTX_get_error_depth . The resulting error code was X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, which according to documentation means "the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates."
This error is very generic and not related specifically to CN, if I only change the CN field in the cert to appropriate value it doesn't happen.
Use the SSL_CTX_set_verify call to specify your own verification callback function where you can OK anything you wish about the certificate.
Read that page carefully and it should tell you everything you need to know, the page also includes a example you can base your handler on if you wish.
I want to use my Google Cloud Function as a webhook endpoint for a Telegram bot - so that Telegram server makes a request to my function every time there's an update that I need to reply to. (Here's a full guide they provide for this). I have set up such a webhook at a GCF provided address, which looks like https://us-central1-project-name-123456.cloudfunctions.net/processUpdate (where processUpdate is the name of my function).
However, it looks like Telegram doesn't work with my function because of a problem with certificate. They #CanOfWormsBot created to troubleshoot this provides an error message:
⛔️ This verified certificate appears to be invalid
https://us-central1-project-name-123456.cloudfunctions.net/processUpdate
Your CN (Common Name) or SAN (Subject Alternative Name) appear not to match your domain name, please verify you're setting the correct domain for the certificate.
CERTIFICATE:
Common Name(CN): misc.google.com
Issuer: Google Internet Authority G3
Alternative Names(SAN): Too many SANS to be shown here.
Issued: 18/06/2019
Expires: 10/09/2019
What's the root cause of this issue? Does it mean that Google misconfigured certificate they use for cloudfunctions.net? Can I fix this by configuring my cloud function?
I'm writing a script that loads IAM certificate to some ELB in order to check if it's valid.
When I tested it, I used an invalid private key on purpose to see if I could load it to the ELB.... and the problem - it gets loaded!
So my questions are-
How is this possible? I know for a fact that if you use AWS console you can't do something like that.
Is there a boto way to check if a cert is valid? (not using openssl, this is what I'm trying to avoid).
What exactly do you mean when you say "check if it's valid"? If you try to upload a malformed PEM file (the text of the cert isn't valid) then it will definitely throw an error since it can't decode the file. Also, if you try to upload a mismatched public & private key it will also throw an error. I just tested these sorts of cases myself and got the following error:
The private key did not match the public key provided. Please verify the key material and try again.
If you're referring to testing that a certificate is signed, authentic, and not expired, then the ELB isn't going to do any of that. According to the AWS documentation for ELBs it's perfectly fine to make use of self-signed certificates, and certs will also continue to work (whether CA signed or self-signed) even if expired. Both self-signed certs and expired certs are "valid" as far as operation of a secure SSL connection goes. Whether the cert is signed and unexpired or not is really just a means of providing authentication that it's a legitimate certificate.
If you are asking about testing if a certificate is properly signed and not expired then you would need to test for these sorts of things yourself, typically by leveraging something like openssl.
I am using openssl in c to verify a certificate. Is there any way i can skip the self signed certificate error? I am getting that error for all the sites that has invalid/expired/mismatched url certificates and i am unable to detect any of the other errors.
And I use the function
SSL_CTX_load_verify_locations(ctx,0,CA_LIST)) to load CA_LIST. What does it exactly do?
The error self-signed certificate in certificate chain comes, when the root or self-signed certificate is present in the certificate list sent by the peer, but, the same is not loaded in your Trust Store.
The SSL_CTX_load_verify_locations(ctx,0,CA_LIST)) will try to load the CAs present in the path mentioned in CA_LIST.
The function prototype is int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
The OpenSSL Help Page Says:
"If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility to create the necessary links.
The certificates in CApath are only looked up when required, e.g. when building the certificate chain or when actually performing the verification of a peer certificate."
You can get more information from the OpenSSL Page here.
I'm writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which causes the handshake to fail with this message: "sslv3 alert handshake failure, self signed certificate in certificate chain."
Is there a way I can force the connection to proceed? I've tried calling SSL_CTX_set_verify like so:
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
But it does not seem to change anything.
Any suggestions?
By default OpenSSL walks the certificate chain and tries to verify on each step, SSL_set_verify() does not change that, see tha man page. Quoting it:
The actual verification procedure is performed either using the
built-in verification procedure or using another application provided
verification function set with SSL_CTX_set_cert_verify_callback(3).
So the solution is to create a simple callback and set that one, so that you override all certificate-chain walking:
static int always_true_callback(X509_STORE_CTX *ctx, void *arg)
{
return 1;
}
SSL_CTX_set_cert_verify_callback(CTX, always_true_callback);
Have you tried giving your app the server's CA certificate so that your app can verify the certificate chain?
Check these OpenSSL Examples: http://www.rtfm.com/openssl-examples/
The wclient.c connects to any https page, for example:
wclient -h www.yahoo.com -p 443
If you run that with the default installation, you'll get a certificate error (you can use the -i flag to bypass the certificate check though).
To verify the certificate, you'll need to download the CA certificates (Verisign, Thawte, Equifax, etc), so google this file cacert.pem, download and rename it to root.pem and you'll be able to connect to a web server and validate its certificate.
Have you tried setting SSL_set_verify?
SSL_set_verify(s, SSL_VERIFY_NONE, NULL);
You could try passing your own callback to SSL_set_verify() and then doing your own verification. It's less than ideal as I think you then need to do all of the verification and then allow the self signed error to be ignored, but you should be able to work out what the standard verify code does from the OpenSSL source and then simply pull it into your own verification callback and allow the specific error code...
My sample client code (link) works fine with self signed server cert. I have the below code after SSL_connect and have full control over self signed certificates acceptability in my client
SSL_CTX* ctx = SSL_CTX_new(SSLv3_method());
// TCP connection and SSL handshake ...
/* Check the certificate */
rc = SSL_get_verify_result(ssl);
if(rc != X509_V_OK) {
if (rc == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || rc == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
fprintf(stderr, "self signed certificate\n");
}
else {
fprintf(stderr, "Certificate verification error: %ld\n", SSL_get_verify_result(ssl));
SSL_CTX_free(ctx);
return 0;
}
}