Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Test Code to Connect and Verify Cert

Help
Xangis
2010-08-04
2013-04-23
  • Xangis
    Xangis
    2010-08-04

    I'm working on building a standalone test app based on the example code.  What I have so far is this :

    int client_test(int argc, char* argv[])
    {
       int ret = 0;
       cout << "argc = " << argc << endl;
       for(int i = 0; i < argc; i++)
          cout << "argv[" << i << "] = " << argv[i] << endl;
       if( argc < 3 ) {
           cout << "Not enough arguments supplied Usage:  test <servername> <port>" << endl;
           return 0;
       }
    #ifdef _WIN32
        WSADATA wsd;
        WSAStartup(0x0002, &wsd);
    #endif
        SOCKET_T sockfd = 0;
        cout << "Calling tcp_connect()" << endl;
        int port = atoi(argv[2]);
        if( port <= 0 ) {
            return 0;
            cout << "Invalid port supplied Must be a positive integer." << endl;
        }
        tcp_connect(sockfd, argv[1], port);
    #ifdef NON_BLOCKING
        tcp_set_nonblocking(sockfd);
    #endif
        cout << "Using TLSv1_client_method." << endl;
        SSL_METHOD* method = TLSv1_client_method();
        //printf("Using SSLv3_client_method.\n");
        //SSL_METHOD* method = SSLv3_client_method();
        SSL_CTX*    ctx = SSL_CTX_new(method);
        cout << "Setting certificates." << endl;
        set_certs(ctx);
        SSL* ssl = SSL_new(ctx);
        cout << "Setting SSL socket fd to " << sockfd << endl;
        SSL_set_fd(ssl, sockfd);
    #ifdef NON_BLOCKING
        cout << "Calling NonBlockingSSL_Connect." << endl;
        NonBlockingSSL_Connect(ssl, ctx, sockfd);
    #else
        ret = SSL_connect(ssl);
        cout << "SSL_connect return value: " << ret << endl;
    #endif
        cout << "Showing peer info.\n" << endl;
        showPeer(ssl);
        const char* cipher = 0;
        int index = 0;
        char list[1024];
        strncpy(list, "cipherlist", 11);
        while ( (cipher = SSL_get_cipher_list(ssl, index++)) ) {
            strncat(list, ":", 2);
            strncat(list, cipher, strlen(cipher) + 1);
        }
        cout << list << endl;
        cout << "Using Cipher Suite: " << SSL_get_cipher(ssl) << endl;
        cout << "Sending hello with SSL_write." << endl;
        char msg[] = "hello yassl!";
        if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
            ClientError(ctx, ssl, sockfd, "SSL_write failed");
        char reply[1024];
        cout << "Reading server response." << endl;
        int input = SSL_read(ssl, reply, sizeof(reply));
        if (input > 0) {
            reply[input] = 0;
            printf("Server response: %s\n", reply);
        }
        cout << "SSL_shutdown." << endl;
        SSL_shutdown(ssl);
        cout << "SSL_free." << endl;
        SSL_free(ssl);
        cout << "tcp_close" << endl;
        tcp_close(sockfd);
        cout << "SSL_CTX_free" << endl;
        SSL_CTX_free(ctx);
        return 0;
    }
    

    Whether I run the application against another server on my network with a self-signed certificate, or against mail.google.com, which has a thawte certificate, I get the following result (1039 error from taocrypt):

    argc = 3
    argv = test
    argv = 192.168.1.221
    argv = 5001
    Calling tcp_connect()
    Using hostname 192.168.1.221 port 5001
    Calling connect().
    Using TLSv1_client_method.
    Setting certificates.
    Setting SSL socket fd to 684
    SSL_connect: Checking errors.
    SSL_connect: CONNECT_BEGIN, sending client hello.
    SSL_connect: CLIENT_HELLO_SENT, getting states.
    SSL_connect: FIRST_REPLY_DONE.  Send verify.
    SSL_connect: Sending client key exchange.
    SSL_connect: Sending change cipher.
    SSL_connect: Sending finished.
    SSL_connect: Flushing buffer.
    SSL_connect: FINISHED_DONE.  Getting resuming info.
    SSL_connect: SECOND_REPLY_DONE.  Verifying state.
    SSL_connect: Second reply done.  Calling ShowTCP.
    Error: 1039, ThreadID: 3768
    SSL_connect: Error, 1039 (1039) returning SSL_FATAL_ERROR.
    SSL_connect return value: -1
    Showing peer info.
    peer's cert info:
    issuer : /C=US/ST=California/L=Mountain View/O=Authentic8/CN=Jay Sorg/emailAddress=jsorg@authentic8.com
    subject: /C=US/ST=California/L=Mountain View/O=Authentic8/CN=Jay Sorg/emailAddress=jsorg@authentic8.com
    cipherlist:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:AES256-RMD:AES128-RMD:DES-CBC3-RMD:DHE-RSA-AES256-RMD:DHE-RSA-AES128-RMD:DHE-RSA-DES-CBC3-RMD:DHE-DSS-AES256-RMD:DHE-DSS-AES128-RMD:DHE-DSS-DES-CBC3-RMD:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA
    Using Cipher Suite: AES256-SHA
    Sending hello with SSL_write.
    yassl error: SSL_write failed

    I see that the error 1039 corresponds to SIG_OTHER_E,  "Bad other signature confirmation", but don't see how it's generated (or how to prevent it from happening).  What should I look into or do differently?

    Thank you,
    Jason

     
  • Todd Ouska
    Todd Ouska
    2010-08-09

    You're getting the error 1039 because you haven't loaded the CA certificates to properly verify the server's certificate.  In the client example ca-cert.pem is loaded so that it can verify server-cert.pem.  You'll need to do the same for the sites you wish to connect to.  Please see the note at the top the README file.