I have created simple SSL client server program and in that program I am using self signed certificate which are created with my own local CA according to the help on https://help.ubuntu.com/community/OpenSSL
So I have my CA certificate and private key. Server certificate signed by my CA and Serve private key. Client certificate signed by my CA and Client private key.
Now following is the code part of client server program which shows the loading of certificate and SSL handshake.
Server:
SSL_library_init();
ctx = InitServerCTX(); /* initialize SSL */
LoadCertificates(ctx, "server_crt.pem", "server_key.pem"); /* load certs */
SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL);
//SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
SSL_CTX_set_verify_depth(ctx, 1);
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file("cacert.pem"));
server = OpenListener(atoi(portnum)); /* create server socket */
while (1)
{
struct sockaddr_in addr;
int len = sizeof(addr);
SSL *ssl;
int client = accept(server, (struct sockaddr*) &addr, &len); /* accept connection as usual */
printf("Connection: %s:%d\n", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context */
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
Servlet(ssl); /* service connection */
}
Client:
SSL_library_init();
ctx = InitCTX();
LoadCertificates(ctx, "client_crt.pem", "client_key.pem"); /* load certs */
SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL);
SSL_CTX_set_verify_depth(ctx, 1);
server = OpenConnection(hostname, atoi(portnum));
ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if (SSL_connect(ssl) != 1) /* perform the connection */
ERR_print_errors_fp(stderr);
else
{
char *msg = "This is Darshan";
printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl); /* get any certs */
SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
buf[bytes] = 0;
printf("Received: \"%s\"\n", buf);
SSL_free(ssl); /* release connection state */
}
Now when I run this programs I get error like below in Client:
3073476808:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1248:SSL alert number 43
Why I am getting this error ? My certificates are ok and both client and server certificates are signed by my CA. Please help me in finding error.
Certificate of Client:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=My Root Certificate Authority, ST=somestate, C=IN/[email protected], O=XYZ Ltd., OU=Department
Validity
Not Before: Jan 18 07:50:30 2013 GMT
Not After : Jan 17 07:50:30 2018 GMT
Subject: CN=localhost, ST=somestate, C=IN/[email protected], O=ABC Ltd., OU=Software Department
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:1e:ea:56:d9:44:05:28:cb:4e:cd:85:88:9a:
8e:8d:77:d7:80:92:7c:b5:20:89:31:45:2a:73:72:
5d:d2:01:3c:1d:18:2e:c2:72:56:4d:84:f4:21:ae:
55:d6:b5:5c:58:9a:3b:48:2c:9e:05:a4:ee:af:b7:
f4:42:ef:54:9c:a1:bc:a9:b5:53:dc:69:90:d2:df:
c0:e0:09:d5:e4:d4:08:a8:f2:76:1b:c5:0d:c9:13:
eb:ba:76:09:a2:67:38:cc:d8:6d:44:51:78:39:03:
b4:a4:a1:73:ec:d4:7d:c3:06:4b:64:6b:f7:14:d3:
1c:c9:e4:db:cc:82:5c:94:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Signature Algorithm: md5WithRSAEncryption
ba:76:2c:2a:15:f3:98:32:86:60:dc:2a:a9:a6:a8:ca:e6:a7:
74:d8:8f:0e:b2:ad:00:ef:fc:13:74:26:75:12:fa:af:4f:55:
61:75:34:77:8c:37:b9:58:ab:ee:71:9b:6d:3c:10:ab:f0:20:
73:89:7c:5c:e2:df:82:21:96:b4:91:5a:9b:f8:10:6a:4b:01:
06:7e:b6:26:bc:c1:80:21:85:d9:7f:0b:56:a3:89:5e:e1:f4:
31:d1:c9:be:a3:39:d5:51:0a:3e:b9:27:fb:82:5f:d1:24:40:
f0:84:a4:f9:bc:23:11:fb:65:ad:d5:bc:2e:23:a0:5c:0f:58:
a5:8b:38:f6:0c:52:65:f1:84:29:be:dd:77:73:2b:3c:b6:4c:
4e:87:3f:38:45:48:b2:50:24:7a:06:fe:ac:79:bf:04:88:d6:
5d:4b:38:f9:25:90:c9:e4:d6:7d:6b:1c:9a:78:10:5a:42:43:
8d:26:08:6e:f9:34:e1:8f:2f:bb:33:d5:96:b6:2a:35:75:c1:
e5:f2:b9:3d:8a:0d:49:e8:00:3c:08:03:5a:97:e2:79:4b:1a:
9c:98:5c:ba:8b:5b:44:5c:a3:0e:6f:d5:af:5a:9e:88:4e:2e:
fe:91:ae:95:83:75:68:71:04:e5:99:1b:3e:bc:a6:cf:84:2f:
98:78:25:33
-----BEGIN CERTIFICATE----- MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBtzEsMCoGA1UEAxMjSW52 aXhpdW0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAgTB0d1amFy YXQxCzAJBgNVBAYTAklOMSYwJAYJKoZIhvcNAQkBFhdkcHJhamFwYXRpQGludml4 aXVtLmNvbTEiMCAGA1UEChMZSW52aXhpdW0gQWNjZXNzIFB2dC4gTHRkLjEcMBoG A1UECxMTRW1iZWRkZWQgRGVwYXJ0bWVudDAeFw0xMzAxMTgwNzUwMzBaFw0xODAx MTcwNzUwMzBaMIGbMRAwDgYDVQQDEwdpeG0ud2ViMRAwDgYDVQQIEwdHdWphcmF0 MQswCQYDVQQGEwJJTjEmMCQGCSqGSIb3DQEJARYXZHByYWphcGF0aUBpbnZpeGl1 bS5jb20xIjAgBgNVBAoTGUludml4aXVtIEFjY2VzcyBQdnQuIEx0ZC4xHDAaBgNV BAsTE1NvZnR3YXJlIERlcGFydG1lbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMEe6lbZRAUoy07NhYiajo1314CSfLUgiTFFKnNyXdIBPB0YLsJyVk2E9CGu Vda1XFiaO0gsngWk7q+39ELvVJyhvKm1U9xpkNLfwOAJ1eTUCKjydhvFDckT67p2 CaJnOMzYbURReDkDtKShc+zUfcMGS2Rr9xTTHMnk28yCXJT7AgMBAAGjPTA7MBsG A1UdEQQUMBKCEHd3dy5pbnZpeGl1bS5jb20wCQYDVR0TBAIwADARBglghkgBhvhC AQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADggEBALp2LCoV85gyhmDcKqmmqMrmp3TY jw6yrQDv/BN0JnUS+q9PVWF1NHeMN7lYq+5xm208EKvwIHOJfFzi34IhlrSRWpv4 EGpLAQZ+tia8wYAhhdl/C1ajiV7h9DHRyb6jOdVRCj65J/uCX9EkQPCEpPm8IxH7 Za3VvC4joFwPWKWLOPYMUmXxhCm+3XdzKzy2TE6HPzhFSLJQJHoG/qx5vwSI1l1L OPklkMnk1n1rHJp4EFpCQ40mCG75NOGPL7sz1Za2KjV1weXyuT2KDUnoADwIA1qX 4nlLGpyYXLqLW0Rcow5v1a9anohOLv6RrpWDdWhxBOWZGz68ps+EL5h4JTM= -----END CERTIFICATE-----
Client conf file:
#
example.cnf
#
[ req ] prompt = no distinguished_name = server_distinguished_name
[ server_distinguished_name ] commonName = abc.com stateOrProvinceName = NC countryName = US emailAddress = [email protected] organizationName = My Organization Name organizationalUnitName = Subunit of My Large Organization