We Keep Coding

Trying to make a secure handshake between server and client with OpenSSL

I'm trying to make a basic Client-Server program that can exchange messages using the OpenSSL library. I'm very new to OpenSSL and cryptography and I'm trying to understand exactly how to make sure that the connection between my client and server is secure. Currently I'm using self signed certificates for both client and server but the certificate verification fails when the client tries to connect to the server with this error:
140336190395008:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed:../ssl/statem/statem_srvr.c:3711:
In the main method of my server program, I first set verify for the CTX and use the following flags:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
Then when setting up the servlet I call the following method to show certificates:
void ShowCerts(SSL* ssl) /*show the ceritficates to client and match them*/ {
X509 *cert;
long int verify;
char *line;
cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */
verify = SSL_get_verify_result(ssl);
if (verify == X509_V_OK) {
printf("Yay it worked\n");
}
if ( cert != NULL ) {
printf("Server certificates:\n");
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
printf("Server: %s\n", line); /*server certifcates*/
free(line);
line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
printf("client: %s\n", line); /*client certificates*/
free(line);
X509_free(cert);
} else {
printf("No certificates.\n");
}
}
As I said I'm very new to this so I might be missing something basic here. Also apologies in advance if I missed any important info, this is my first time asking a question here.

Access web server by domain name instead of IP address with C/++ sockets [duplicate]

How do I make an http request using sockets on linux? currently, I'm getting
HTTP/1.1 301 Moved Permanently
//etc
Location: https://server.com
here's relevant part of code(the function is too big to post here):
/* Socket file descriptor. */
int sock;
struct sockaddr_in sockaddr;
struct hostent *host; /* Host information. */
sock = socket(AF_INET, /* IPV4 protocol. */
SOCK_STREAM, /* TCP socket. */
0); /* O for socket() function choose the correct protocol based on the socket type. */
if(sock == INVALID_SOCKET) return SOCK_GENERROR;
if((host = gethostbyname(server)) == NULL) {
close(sock);
return SOCK_HOSTNFOUND;
}
/* zero buffer */
memset(&sockaddr, 0, sizeof(sockaddr));
sockaddr.sin_family = AF_INET;
memcpy(&sockaddr.sin_addr,
host -> h_addr,
host -> h_length );
sockaddr.sin_port = htons(port);
if(connect(sock, (struct sockaddr *)&sockaddr, sizeof(sockaddr)) == INVALID_SOCKET) {
close(sock);
return SOCK_FERRCONN;
}
if(send(sock, sendbuf, bufsize, 0) == INVALID_SOCKET) {
close(sock);
return SOCK_FERRWRITE;
}
if((readed = recv(sock, recvbuffer, sizeof(recvbuffer), 0)) <= 0)
break;
in the call, server="server.com"; and port=80;
I tried to remove as possible my onw routines and type from this code to make more clean for you.

https requests look just like http requests, but with transparent encryption of the actual communication between the client and the server, and on a different default port. The good news is that transparent encryption allows you to program just like you're writing a regular HTTP client. The bad news is that the encryption is complex enough that you need a specialized library to implement it for you.
One such library is OpenSSL. Using OpenSSL, the minimal code for a client would look like this:
#include <openssl/ssl.h>
// first connect to the remote as usual, but use the port 443 instead of 80
// initialize OpenSSL - do this once and stash ssl_ctx in a global var
SSL_load_error_strings ();
SSL_library_init ();
SSL_CTX *ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
// create an SSL connection and attach it to the socket
SSL *conn = SSL_new(ssl_ctx);
SSL_set_fd(conn, sock);
// perform the SSL/TLS handshake with the server - when on the
// server side, this would use SSL_accept()
int err = SSL_connect(conn);
if (err != 1)
abort(); // handle error
// now proceed with HTTP traffic, using SSL_read instead of recv() and
// SSL_write instead of send(), and SSL_shutdown/SSL_free before close()

HTTPS is just like HTTP, but its encapsulated in a cryptographic SSL layer. You will need to use a lib like OpenSSL to make those HTTPS connections.
OpenSSL will provide functions that replace the socket.h ones, to connect, read and write regular HTTP (or whatever other protocol you want to use) through a SSL channel, making the handling of the SSL part transparent to you.

libwebsocket server with openSSL not accepting connection

I have written web socket server with the help of (libwebsocket library )which accepts web socket client connection for non SSL.
Now I wanted it to accept SSL connection so I have generated the self signed certificate and key, while creating web socket context I have given the key and certificate path and option LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT as well.
But while making https connection using wss://ip:7681 from I am getting connection request callback i.e LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED and after that LWS_CALLBACK_WSI_DESTROY and in browser getting console error about not able to connect.
Firefox can’t establish a connection to the server at wss://192.168.4.254:7681/.
Please check the following server side code used for creating openSSL based web socket server.
struct lws_protocols WebSocketCommon::protocols[ 2 ] = { {"wss", WebSocketCommon::callback, 0, 0 },{ NULL, NULL, 0, 0 } };
int callback ( struct lws *wsi, enum lws_callback_reasons reason, void *user, void *in, size_t len ) {
switch ( reason ) {
case LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED:
{
//code
break;
}
case LWS_CALLBACK_WSI_DESTROY:
{
//code
break;
}
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS: {
Log::d( m_r_logger, TAG, "LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS\n");
SSL_CTX_load_verify_locations( (SSL_CTX*) user, NULL, getenv(SSL_CERT_FILE_PATH) );
break;
}
default: {
break;
}
}
return lws_callback_http_dummy(wsi, reason, user, in, len);
}
void createContext (bool useSSL) {
struct lws_context_creation_info info;
memset( &info, 0, sizeof(struct lws_context_creation_info) );
info.port = 7681;
info.uid = -1;
info.gid = -1;
info.protocols = protocols;
info.mounts = &mount;
info.extensions = exts;
info.timeout_secs = 5;
info.ip_limit_ah = 24; /* for testing */
info.ip_limit_wsi = 400; /* for testing */
// Following options for openSSL certificate
if(useSSL){
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT | LWS_SERVER_OPTION_DISABLE_IPV6 | LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED | LWS_SERVER_OPTION_IGNORE_MISSING_CERT;
info.ssl_cert_filepath = SSL_CERT_FILE_PATH;
info.ssl_private_key_filepath = SSL_PRIVATE_KEY_PATH;
}
fContext = lws_create_context( &info );
}
I am getting following logs while creating web socket context and accepting wss connection.
WebSocket.cpp:638...... :createContext ( ) - begin
WebSocket.cpp:640...... : createContext - fReferenceCount = 0
WebSocket.cpp:324...... : Creating Vhost 'default' port 7681, 1 protocols, IPv6 off
WebSocket.cpp:324...... : Using SSL mode
WebSocket.cpp:324...... : SSL ECDH curve 'prime256v1'
WebSocket.cpp:612...... : LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS
WebSocket.cpp:324...... : lws_tls_client_create_vhost_context: doing cert filepath /etc/nginx /ssl/mycert.crt
WebSocket.cpp:324...... : Loaded client cert /etc/nginx/ssl/mycert.crt
WebSocket.cpp:324...... : lws_tls_client_create_vhost_context: doing private key filepath
WebSocket.cpp:324...... : Loaded client cert private key /etc/nginx/ssl/mykey.key
WebSocket.cpp:324...... : created client ssl context for default
WebSocket.cpp:684...... : lws_create_context SUCCEEDED
WebSocket.cpp:759...... : start Starting Service Thread.
WebSocket.cpp:705...... : createContext - fReferenceCount = 1
WebSocket.cpp:706...... : createContext - end
Following is library versions I am using.
libwebsocket.so 13
OpenSSL 1.0.2o 27 Mar 2018
Please let me know what is going wrong ?

The problem is possibly not related to libwebsockets, but rather to do with Firefox being fussy about allowing connections to WSS that have a self signed certificate. Try to connect to your server from some other program, e.g., a simple python program.
related:
What is the problem with Websocket and Self-Signed SSL certificate
Firefox disconnects websockets connection for a self signed certificate

openssl SSL_get_verify_result returns error 20

I am writing a C++ program that connects using SSL. The certificate chain checks out using:
openssl verify -CAfile test.pem private.pem
where test.pem contains the intermediate and root certificate. My test program does not verify the certificate chain.
if ( !SSL_CTX_load_verify_locations( ctx, "c:/Certs/test.pem", NULL ) ) {
// Failure message and cleanup goes here.
}
SSL* ssl;
BIO* bio = BIO_new_ssl_connect( ctx );
BIO_get_ssl( bio, &ssl );
SSL_set_mode( ssl, SSL_MODE_AUTO_RETRY );
BIO_set_conn_hostname( bio, "url.com:https" );
if ( BIO_do_connect( bio ) <= 0 ) {
// Failure message and cleanup goes here.
}
if ( SSL_get_verify_result( ssl ) != X509_V_OK ){
// Here is where I get the error 20...
// Free all resources and exit.
}
OpenSSL documentation describes error 20 as:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate.
The issuer certificate could not be found: this occurs if the issuer certificate of an
untrusted certificate cannot be found.
I need help identifying the problem and how to solve it. I am certain the certificates I have are correct.

It seems the certificate or certificate chain is not trusted.
You can load your own from a pem file before trying to connect by using:
int rc = SSL_CTX_load_verify_locations(ssl_context, file_name, NULL);
if (rc != 1) { // verify authentication result
g_warning("Load of certificates failed!: %s", X509_verify_cert_error_string(ERR_get_error()));
return FALSE;
}
Additionally you can load from memory directly.
With something like this:
char *chain_certs = "------- BEGIN CERTIFICAT...."; /// <<< YOUR CERTIFICATE CHAIN
// Load chain of certs
X509 *cacert=NULL;
BIO *mem = BIO_new_mem_buf(chain_certs,strlen(chain_certs));
X509_STORE *cert_store = SSL_CTX_get_cert_store(ssl_context);
if(cert_store!=NULL){
int index = 0;
while ((cacert = PEM_read_bio_X509(mem, NULL, 0, NULL))!=NULL) {
if(cacert) {
g_debug("Our certificate name is %s", cacert->name);
X509_STORE_add_cert(cert_store, cacert);
X509_free(cacert);
cacert=NULL;
} /* Free immediately */
index++;
}
}
BIO_free(mem);

winldap can't connect to openldap with ssl

os : win7 64bits
ldap server : openldap for windows 2.4.34
compiler : vc2008
I can query the data of the server by this command
ldapsearch -H ldaps://CS-GAMEBOY-PC -x -b dc=micmiu,dc=com -D cn=Manager,dc=micmiu,dc=com -w secret
But I can't query the data by the example codes of winldap(I remove most of the error handles and resource cleaning to simplify the codes)
#include <iostream>
#include <windows.h>
#include <winldap.h>
#include <winber.h>
int main()
{
char *LdapServer = "CS-GAMEBOY-PC";
LDAP *ldap = ldap_sslinitA(LdapServer, LDAP_SSL_PORT, 1);
unsigned long version = LDAP_VERSION3;
ldap_set_option(ldap,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
// If SSL is not enabled, enable it.
ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
// Connect to the server.
unsigned long connectSuccess = ldap_connect(ldap, NULL);
if(connectSuccess == LDAP_SUCCESS){
std::cout<<"ldap_connect succeeded \n";
}else{
std::cout<<"ldap_connect failed with "<<ldap_err2string(connectSuccess)<<std::endl;
std::cout<<"error codes = 0x"<<std::hex<<connectSuccess<<std::endl;
return -1;
}
}
The ldap_connect fail and give me the error codes "0X51"
The server site give me the errors as
........
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
........
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS: can't accept: (unknown).
How should I fix this problem?

//
static bool VerifyCert(void/*LDAP* ld, PCCERT_CONTEXT pServerCert*/)
{
return true;
}
//
..
// Set the version to 3.0 (default is 2.0). and than ->
ldap_set_option(pLdapConnection, LDAP_OPT_SERVER_CERTIFICATE, &VerifyCert);
// Now you can Bind.
..