tags:

views:

562

answers:

5
+1  Q: 

OpenSSL Ignore Self-signed certificate error

I'm writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which causes the handshake to fail with this message: "sslv3 alert handshake failure, self signed certificate in certificate chain."

Is there a way I can force the connection to proceed? I've tried calling SSL_CTX_set_verify like so:

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

But it does not seem to change anything.

Any suggestions?

A: 

Have you tried setting SSL_set_verify?

SSL_set_verify(s, SSL_VERIFY_NONE, NULL);
Xorlev  2010-02-13 08:42:26
Tried, no change
Ramsey  2010-02-13 09:24:17
More code would be nice at this point.
Xorlev  2010-02-13 09:37:49
Thanks for the replies. I've tried all of your suggestions and still no luck. I've pasted key portions of the program here:http://pastebin.com/m78497bf3
Ramsey  2010-02-13 17:32:14
Is the custom callback in your code being called? Does a breakpoint there get hit? Try with something other than verify none...It's probably best for you to add that code snippet to your original question so that everything is self contained on here...
Len Holgate  2010-02-15 15:29:01
A: 

Have you tried giving your app the server's CA certificate so that your app can verify the certificate chain?

ndim  2010-02-13 09:30:34
A: 

You could try passing your own callback to SSL_set_verify() and then doing your own verification. It's less than ideal as I think you then need to do all of the verification and then allow the self signed error to be ignored, but you should be able to work out what the standard verify code does from the OpenSSL source and then simply pull it into your own verification callback and allow the specific error code...

Len Holgate  2010-02-13 09:38:57
If you're going to accept self-signed certificates, then the rest of the verification steps are pointless anyway.
caf  2010-03-02 08:43:10
caf - potentially, yes...
Len Holgate  2010-03-02 16:09:02
+1  A: 

Check these OpenSSL Examples: http://www.rtfm.com/openssl-examples/

The wclient.c connects to any https page, for example:

wclient -h www.yahoo.com -p 443

If you run that with the default installation, you'll get a certificate error (you can use the -i flag to bypass the certificate check though).

To verify the certificate, you'll need to download the CA certificates (Verisign, Thawte, Equifax, etc), so google this file cacert.pem, download and rename it to root.pem and you'll be able to connect to a web server and validate its certificate.

Adriano P  2010-02-18 19:29:12
Also, if you want to print the certificate, insert this line (in wclient.c) after the check_cert(ssl,host): X509_print_fp(stdout,SSL_get_peer_certificate(ssl));
Adriano P  2010-02-18 20:08:24
A: 

My sample client code (link) works fine with self signed server cert. I have the below code after SSL_connect and have full control over self signed certificates acceptability in my client

SSL_CTX* ctx = SSL_CTX_new(SSLv3_method());

// TCP connection and SSL handshake ...

/* Check the certificate */

rc = SSL_get_verify_result(ssl);
if(rc != X509_V_OK) {
  if (rc == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || rc == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
    fprintf(stderr, "self signed certificate\n");
  }
  else {
    fprintf(stderr, "Certificate verification error: %ld\n", SSL_get_verify_result(ssl));
    SSL_CTX_free(ctx);
    return 0;
  }
}
bobah  2010-05-08 21:25:55

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS