OpenSSL Ignore Self-signed certificate error

2019-04-05 11:00发布

站内问答 / C++
694 6 4

I'm writing a small program with the OpenSSL library that is suppose to establish a connection with an SSLv3 server. This server dispenses a self-signed certificate, which causes the handshake to fail with this message: "sslv3 alert handshake failure, self signed certificate in certificate chain."

Is there a way I can force the connection to proceed? I've tried calling SSL_CTX_set_verify like so:

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

But it does not seem to change anything.

Any suggestions?

6条回答
兄弟一词,经得起流年.
2楼-- · 2019-04-05 11:42

Check these OpenSSL Examples: http://www.rtfm.com/openssl-examples/

The wclient.c connects to any https page, for example:

wclient -h www.yahoo.com -p 443

If you run that with the default installation, you'll get a certificate error (you can use the -i flag to bypass the certificate check though).

To verify the certificate, you'll need to download the CA certificates (Verisign, Thawte, Equifax, etc), so google this file cacert.pem, download and rename it to root.pem and you'll be able to connect to a web server and validate its certificate.

查看更多
0人赞 添加讨论(0) 举报
做自己的国王
3楼-- · 2019-04-05 11:44

Have you tried giving your app the server's CA certificate so that your app can verify the certificate chain?

查看更多
0人赞 添加讨论(0) 举报
戒情不戒烟
4楼-- · 2019-04-05 11:45

By default OpenSSL walks the certificate chain and tries to verify on each step, SSL_set_verify() does not change that, see tha man page. Quoting it:

The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback(3).

So the solution is to create a simple callback and set that one, so that you override all certificate-chain walking:

static int always_true_callback(X509_STORE_CTX *ctx, void *arg)
{
    return 1;
}

SSL_CTX_set_cert_verify_callback(CTX, always_true_callback);
查看更多
0人赞 添加讨论(0) 举报
老娘就宠你
5楼-- · 2019-04-05 11:46

Have you tried setting SSL_set_verify?

SSL_set_verify(s, SSL_VERIFY_NONE, NULL);
查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
6楼-- · 2019-04-05 11:58

My sample client code (link) works fine with self signed server cert. I have the below code after SSL_connect and have full control over self signed certificates acceptability in my client

SSL_CTX* ctx = SSL_CTX_new(SSLv3_method());

// TCP connection and SSL handshake ...

/* Check the certificate */

rc = SSL_get_verify_result(ssl);
if(rc != X509_V_OK) {
  if (rc == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || rc == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
    fprintf(stderr, "self signed certificate\n");
  }
  else {
    fprintf(stderr, "Certificate verification error: %ld\n", SSL_get_verify_result(ssl));
    SSL_CTX_free(ctx);
    return 0;
  }
}
查看更多
0人赞 添加讨论(0) 举报
疯言疯语
7楼-- · 2019-04-05 11:59

You could try passing your own callback to SSL_set_verify() and then doing your own verification. It's less than ideal as I think you then need to do all of the verification and then allow the self signed error to be ignored, but you should be able to work out what the standard verify code does from the OpenSSL source and then simply pull it into your own verification callback and allow the specific error code...

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)