0
votes

Iam a new member into this forum.

Issue:

I have to integrate openssl in my project.project is implemented with gsoap.

in "r = SSL_connect(soap->ssl)) <= 0)" SSL_connect call is unable to make a connection to the server.Both server and client are in local host

I see server is ready to accept the connections, as I see below connection established with netstat command:

TCP cspxppgudepu:15000 cspxppgudepu.com:0 LISTENING TCP cspxppgudepu:15000 localhost:2864 ESTABLISHED

Above 15000 port is for server.

Below is client connection: TCP cspxppgudepu:16000 cspxppgudepu.com:0 LISTENING

But SSL_connect is unable to connect.It is always failing with return code -1 & err 2.

With out SSL connection,simple TCP conection, both ends are able to connect and communicate. Below network configuration settings for without SSL

My network configuration settings for with openssl:

    <NetworkConfig> 
            <Server Location="https://127.0.0.1:15000" /> 
            <Client Location="https://127.0.0.1:16000" /> 

I have taken both client & server authentication to false.

Thanks in advance. Pradeep Reddy.


An update,

SSL_connect is failing with SSL_ERROR_WANT_READ.I understand that client is waiting on server to write some data.But I dont understand what to change code in server side.

please let me know, how to go from this.


SSL communcation is working fine now if I give root certificate cacert.pem on both server and client and authentication is set to true.Instead of giving the same root certificate cacert.pem I have given clientcert.pem and servercert.pem in soap_ssl_client_context() and soap_ssl_server_context() calls respectively. This time Handshake is failed with below error at client side:"error:14090086:lib(20):func(144):reason(134)" and server side "error:14094418:lib(20):func(148):reason(1048)"

But both client certificate and server certificate are generated from root certificate "cacert.pem" below comands.

Command:openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem -days 1095 and Command:openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem -days 1095 error I understood as "error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca". But both certificates are from same root CA cacertpem. Please provide if you have any fix. I could not edit the post, so posting the answer. Thanks, Pradeep.

2

2 Answers

0
votes

Firstly, you must establish the TCP connection before you call SSL_connect(). SSL_connect() just sets up the SSL session, and it expects that the file descriptor you set with SSL_set_fd() is already connected to the other side.

Secondly, you must call SSL_accept() on the server side (again, after the underlying TCP connection has already been set up).

0
votes

Did you set that the CA is trusted on your client code with:

SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath)

You can find at OpenSSL documentation about how to use that method - it's pretty straightforward:

http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html