Openssl need to use CA bundle file (Intermediate cert) - c++

I just purchased a SSL certificate from Go Daddy.
Great price, but it seems that it has a draw back.
It seems to need the bundle.crt in order to work correctly on must browser.
I'm not yet really sure what it is, from what I have understand it is an intermediate certificate from Certificate Authority. Correct me if I'm wrong
So in my software I have openssl
SSL_CTX_set_default_passwd_cb(SSL_ctx, pem_passwd_cb);
SSL_CTX_use_PrivateKey_file(SSL_ctx, _private_key, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_file(SSL_ctx, _certificate, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(SSL_ctx, "./ssl_key/bundle.pem");
SSL_CTX_set_session_cache_mode(SSL_ctx,SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_set_quiet_shutdown(SSL_ctx, 1);
The error I get is :
You didn't run init properly or an error occured.
With lasts certs (geotrust) I didn't need the bundle intermediate, I'm really lost here.
Since SSL_CTX_use_certificate_chain_file accepts only PEM files, I have converted the bundle.crt file to PEM using openssl.
Any idea ?
Thanks!
EDIT 1 :
Apparently Intermediate certificate must be on the /etc/ssl/certs folder.
I have putted every intermediate certificate from go-daddy on this folder, and still no luck...
I have removed the line
SSL_CTX_use_certificate_chain_file(SSL_ctx, "./ssl_key/bundle.pem");
Which seems to be no use for me here...

Okay, after testing one million things I finally found out.
I didn't convert the bundle.crt into PEM.
I have pasted the certificate file directly in the bundle.crt (at the beginning of the file)
I have removed this line on my code :
SSL_CTX_use_certificate_file(SSL_ctx, _certificate, SSL_FILETYPE_PEM);
So here's the final code for SSL init :
SSL_CTX_set_default_passwd_cb(SSL_ctx, pem_passwd_cb);
SSL_CTX_use_PrivateKey_file(SSL_ctx, _private_key, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(SSL_ctx, "./ssl_key/bundle.crt");
SSL_CTX_set_session_cache_mode(SSL_ctx,SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_set_quiet_shutdown(SSL_ctx, 1);
Hope this helps someone, and save them a lot of time (1 full day for me ;-))

Related

How to correctly read X509 trusted CA in PEM format using openssl

I'm having issues trying to read a certificate list. The code I have now is
UniqueSsl<BIO> trustedCertificatesBio(BIO_new_mem_buf(trustedCertificates.c_str(), trustedCertificates.size()));
UniqueSsl<X509> tmpCert;
while ( tmpCert = UniqueSsl<X509>(PEM_read_bio_X509_AUX(trustedCertificatesBio.get(), nullptr, nullptr, nullptr)) )
{
X509_STORE_add_cert(trustedStore.get(), tmpCert.get());
}
if (ERR_GET_REASON(ERR_peek_last_error()) != PEM_R_NO_START_LINE)
{
captureOpensslErrorAndThrow("Failed to add certificate to the trusted X509_STORE");
}
Remarks: UniqueSsl and captureOpensslErrorAndThrow are just an helper method/template. Doesn't mean nothing here.
Well, the code is quite simple. I'm just looping through all the certificates inside the trustedCertificatesBio and trying to add them to the Trusted Store.
This code was working in production for a long long time and yesterday it stopped. The final value always was returning the PEM_R_NO_START_LINE meaning that we reach the EOF.
Since yesterday, one of my clients always get the value 0 (normally means no error) on the final certificate.
This begs me a question: the loop right above is right? Should I check the reason inside the loop, or need to expect the zero as a possible return value of success?
What is the correct way of adding certificates into the Trusted Store?
Thanks!

SetSslClientCertPfx does not allow change of file location

I am using chilkat active x to access a webservice secured with x509.
SetSslClientCertPfx("pfxfilewithpath","password")
It works fine with the pfx file in the location I used it first.
If I copy it to another path it does not work anymore (error 109) , even after pc reboot or renaming.
Any chance to get this to work ?
Thanks in advance
tom
Using locert.LoadByCommonName("certname") and SetSslClientCert(locert) works but I would prefer to use SetSslClientCertPfx()
Examine the contents of the httpObject.LastErrorText property after calling httpObject.SetSslClientCertPfx (assuming this is for HTTP).

Using file.managed for downloading a file in Salt

salt.states.file.managed takes source_hash as an argument to verify a downloaded file. This blocks me from using file.managed for a file on an online server I don't have control over. The file also changes regularly. My configuration looks like this.
download_stuff:
file.managed:
- name: localfile.tar.gz
- source: http://someserver.net/onlinefile.tar.gz
- source_hash: ???
I don't want to use cmd.run with Curl or wget because this would always download the file, even when it's already on the local machine.
I would like the know if one of the options below is possible/exists:
online md5 calculation service. Is there any way of getting an md5 hash of the file, using a free web service? I'm thinking of something like http://md5service.net?url={url-to-file}.
salt-internal conversion or workaround. Is it possible to handle this in Salt? Maybe by leaving out source_hash somehow?
alternative state. Is there another state in Salt for doing something like this, without losing the benefit of only downloading the file when needed?
If you can't control the other server, please make sure that you can trust it to download its content. Not using a hash will prevent you from detecting partial or corrupted downloads. There's also no way to work with a file that has changed on the remote server.
Nevertheless you could use a state like this to circumvent the hashcode. The creates part will prevent a second download once the file has been downloaded:
bootstrap:
cmd.run:
- name: curl -L https://bootstrap.saltstack.com -o /etc/salt/cloud.deploy.d/bootstrap-salt.sh
- creates: /etc/salt/cloud.deploy.d/bootstrap-salt.sh
Downloading a file with file.managed can be done since version 2016.3.0., even if you don't have access to the hash, by adding skip_verify: True. For the example given, it would be:
download_stuff:
file.managed:
- name: localfile.tar.gz
- source: http://someserver.net/onlinefile.tar.gz
- skip_verify: True
From the docs:
If True, hash verification of remote file sources (http://, https://, ftp://) will be skipped, and the source_hash argument will be ignored.

Why are my files smaller after I FTP them using this Python program?

I'm trying to send some files (a zip and a Word doc) to a directory on a server using ftplib. I have the broad strokes sorted out:
session = ftplib.FTP(ftp.server, 'user','pass')
filewpt = open(file, mode)
readfile = open(file, mode)
session.cwd(new/work/directory)
session.storbinary('STOR filename.zip', filewpt)
session.storbinary('STOR readme.doc', readfile)
print "filename.zip and readme.doc were sent to the folder on ftp"
readfile.close()
filewpt.close()
session.quit()
This may provide someone else what they are after but not me. I have been using FileZilla as a check to make sure the files were transferred. When I see they have made it to the server, I see that they are both way smaller or even zero K for the readme.doc file. Now I'm guessing this has something to do with the fact that I stored the file in 'binary transfer mode' <--- whatever that means.
This is where my problems lie. I have no idea at all (yet) what is meant by binary transfer mode. Is it simply that I have to use retrbinary to return the files to their original state?
Could someone please explain to me like I'm a two year old what has happened to my files? If there's any more info required, please let me know.
This is a fantastic resource. Solved most of my problems. Still trying to work out the intricacies of FTPs, but I guess I will save that for another day. The link below builds a function to effortlessly upload files to an FTP without the partial upload problem that I've seen experienced by more than one Stack Exchanger.
http://effbot.org/librarybook/ftplib.htm

Verify digital signature within system32/drivers folder

I've spent all night researching this without a solution.
I'm trying to verify the digital signature of a file in the drives folder (C:\Windows\System32\drivers*.sys) pick whatever one you want. I know that the code is correct because if you move the file from that folder to C:\ the test works.
WinVerifyTrust gives error 80092003
http://pastebin.com/nLR7rvZe
CryptQueryObject gives error 80092009
http://pastebin.com/45Ra6eL4
What's the deal?
0x80092003 = CRYPT_E_FILE_ERROR = An error occurred while reading or writing to the file.
0x80092009 = CRYPT_E_NO_MATCH = No match when trying to find the object.
I'm guessing you're running on a 64-bit machine and WOW64 file system redirection is redirecting you to syswow64\drivers, which is empty. You can disable redirection with Wow64DisableWow64FsRedirection().
if you right click and view properties of file can you see a digital signature? most likely your file is part of a catalogue and you need to use the catalogue API to extract the cert from cert DB and verify it.