Topic: Test Code to Connect and Verify Cert
[Migrated from SourceForge forums]
xangis
(2010-08-04 19:32:59 UTC)
I'm working on building a standalone test app based on the example code. What I have so far is this :
int client_test(int argc, char* argv[])
{
int ret = 0;
cout << "argc = " << argc << endl;
for(int i = 0; i < argc; i++)
cout << "argv[" << i << "] = " << argv << endl;
if( argc < 3 ) {
cout << "Not enough arguments supplied. Usage: test <servername> <port>" << endl;
return 0;
}
#ifdef _WIN32
WSADATA wsd;
WSAStartup(0x0002, &wsd);
#endif
SOCKET_T sockfd = 0;
cout << "Calling tcp_connect()" << endl;
int port = atoi(argv[2]);
if( port <= 0 ) {
return 0;
cout << "Invalid port supplied. Must be a positive integer." << endl;
}
tcp_connect(sockfd, argv[1], port);
#ifdef NON_BLOCKING
tcp_set_nonblocking(sockfd);
#endif
cout << "Using TLSv1_client_method." << endl;
SSL_METHOD* method = TLSv1_client_method();
//printf("Using SSLv3_client_method.\n");
//SSL_METHOD* method = SSLv3_client_method();
SSL_CTX* ctx = SSL_CTX_new(method);
cout << "Setting certificates." << endl;
set_certs(ctx);
SSL* ssl = SSL_new(ctx);
cout << "Setting SSL socket fd to " << sockfd << endl;
SSL_set_fd(ssl, sockfd);
#ifdef NON_BLOCKING
cout << "Calling NonBlockingSSL_Connect." << endl;
NonBlockingSSL_Connect(ssl, ctx, sockfd);
#else
ret = SSL_connect(ssl);
cout << "SSL_connect return value: " << ret << endl;
#endif
cout << "Showing peer info.\n" << endl;
showPeer(ssl);
const char* cipher = 0;
int index = 0;
char list[1024];
strncpy(list, "cipherlist", 11);
while ( (cipher = SSL_get_cipher_list(ssl, index++)) ) {
strncat(list, ":", 2);
strncat(list, cipher, strlen(cipher) + 1);
}
cout << list << endl;
cout << "Using Cipher Suite: " << SSL_get_cipher(ssl) << endl;
cout << "Sending hello with SSL_write." << endl;
char msg[] = "hello yassl!";
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
ClientError(ctx, ssl, sockfd, "SSL_write failed");
char reply[1024];
cout << "Reading server response." << endl;
int input = SSL_read(ssl, reply, sizeof(reply));
if (input > 0) {
reply[input] = 0;
printf("Server response: %s\n", reply);
}
cout << "SSL_shutdown." << endl;
SSL_shutdown(ssl);
cout << "SSL_free." << endl;
SSL_free(ssl);
cout << "tcp_close" << endl;
tcp_close(sockfd);
cout << "SSL_CTX_free" << endl;
SSL_CTX_free(ctx);
return 0;
}Whether I run the application against another server on my network with a self-signed certificate, or against mail.google.com, which has a thawte certificate, I get the following result (1039 error from taocrypt):
argc = 3
argv[0] = test
argv[1] = 192.168.1.221
argv[2] = 5001
Calling tcp_connect()
Using hostname 192.168.1.221 port 5001
Calling connect().
Using TLSv1_client_method.
Setting certificates.
Setting SSL socket fd to 684
SSL_connect: Checking errors.
SSL_connect: CONNECT_BEGIN, sending client hello.
SSL_connect: CLIENT_HELLO_SENT, getting states.
SSL_connect: FIRST_REPLY_DONE. Send verify.
SSL_connect: Sending client key exchange.
SSL_connect: Sending change cipher.
SSL_connect: Sending finished.
SSL_connect: Flushing buffer.
SSL_connect: FINISHED_DONE. Getting resuming info.
SSL_connect: SECOND_REPLY_DONE. Verifying state.
SSL_connect: Second reply done. Calling ShowTCP.
Error: 1039, ThreadID: 3768
SSL_connect: Error, 1039 (1039) returning SSL_FATAL_ERROR.
SSL_connect return value: -1
Showing peer info.
peer's cert info:
issuer : /C=US/ST=California/L=Mountain View/O=Authentic8/CN=Jay Sorg/emailAddress=jsorg@authentic8.com
subject: /C=US/ST=California/L=Mountain View/O=Authentic8/CN=Jay Sorg/emailAddress=jsorg@authentic8.com
cipherlist:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:AES256-RMD:AES128-RMD:DES-CBC3-RMD:DHE-RSA-AES256-RMD:DHE-RSA-AES128-RMD:DHE-RSA-DES-CBC3-RMD:DHE-DSS-AES256-RMD:DHE-DSS-AES128-RMD:DHE-DSS-DES-CBC3-RMD:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA
Using Cipher Suite: AES256-SHA
Sending hello with SSL_write.
yassl error: SSL_write failedI see that the error 1039 corresponds to SIG_OTHER_E, "Bad other signature confirmation", but don't see how it's generated (or how to prevent it from happening). What should I look into or do differently?
Thank you,
Jason
touska
(2010-08-09 17:28:21 UTC)
You're getting the error 1039 because you haven't loaded the CA certificates to properly verify the server's certificate. In the client example ca-cert.pem is loaded so that it can verify server-cert.pem. You'll need to do the same for the sites you wish to connect to. Please see the note at the top the README file.