int ssl_validate_peer_cert_phase1(struct client_t *c) { X509 *cert; int rc = SSL_get_verify_result(c->ssl_con->connection); if (rc != X509_V_OK) { /* client gave a certificate, but it's not valid */ hlog(LOG_DEBUG, "%s/%s: Peer SSL certificate verification error %d: %s", c->addr_rem, c->username, rc, X509_verify_cert_error_string(rc)); c->ssl_con->ssl_err_code = rc; return SSL_VALIDATE_CLIENT_CERT_UNVERIFIED; } cert = SSL_get_peer_certificate(c->ssl_con->connection); if (cert == NULL) { /* client did not give a certificate */ return SSL_VALIDATE_NO_CLIENT_CERT; } X509_free(cert); return 0; }
int check_cert(SSL *ssl, char *host) { X509 *peer; char peer_CN[256]; int verifyResult = SSL_get_verify_result(ssl); if (verifyResult != X509_V_OK) { fprintf(stderr,"Certificate doesn't verify, result=%d\n", verifyResult); return FALSE; } /*Check the cert chain. The chain length is automatically checked by OpenSSL when we set the verify depth in the ctx */ /*Check the common name*/ peer=SSL_get_peer_certificate(ssl); X509_NAME_get_text_by_NID( X509_get_subject_name(peer), NID_commonName, peer_CN, 256); if (strcasecmp(peer_CN,host)) { fprintf(stderr,"Common name %s doesn't match host name %s\n",peer_CN,host); return FALSE; } return TRUE; }
void SslClient:: CheckCertification(const char *host_) { X509 *peer; char peer_CN[256]; int retval; // 校验对方证书 if( (retval = SSL_get_verify_result(ssl_m)) != X509_V_OK) { char err_msg[128]; sprintf(err_msg,"Certificate doesn't verify. Code: %d", retval); Throw(err_msg, MException::ME_INVARG); } // 校验域名与证书中的common name是否相同 peer = SSL_get_peer_certificate(ssl_m); X509_NAME_get_text_by_NID( X509_get_subject_name(peer), NID_commonName, peer_CN, 256); #ifdef SslClient_DEBUG printf("peer: %s\n", peer_CN); printf("host: %s\n", host_); #endif // 默认为校验Common Name字段 if(check_cname_m == true) { if(strcasecmp(peer_CN, host_)) { Throw("Common name doesn't match hostname", MException::ME_INVARG); } } }
void describeCertificates(SSL* ssl, bool isServer) { // Resumed sessions don't necessarily have chains (not included in session ticket) X509 *cert = SSL_get_peer_certificate(ssl); if (cert == NULL) { fprintf(stderr,"No peer certificates.\n"); } else { fprintf(stderr,"Peer certificates:\n"); describeCertificate(0, cert); X509_free(cert); STACK_OF(X509) *certs = SSL_get_peer_cert_chain(ssl); // We don't have to free this apparently // Cached sessions may not have a chain if (certs != NULL) { // On server, chain doesn't include client certificate if (isServer) { for (int i = 0; i < sk_X509_num(certs); i++) { describeCertificate(i+1, sk_X509_value(certs,i)); } } else { for (int i = 1; i < sk_X509_num(certs); i++) { describeCertificate(i, sk_X509_value(certs,i)); } } } long verify_result = SSL_get_verify_result(ssl); if (verify_result == X509_V_OK) { fprintf(stderr,"Certificate OK\n"); } else { // See 'man verify(1SSL)' for meanings of the codes fprintf(stderr,"Verification error %ld\n", verify_result); ERR_print_errors_fp(stderr); } } }
int tls_start(tls_t *tls) { int error; int ret; long x509_res; /* Since we're non-blocking, loop the connect call until it succeeds or fails */ while (1) { ret = SSL_connect(tls->ssl); error = ret <= 0 ? SSL_get_error(tls->ssl, ret) : 0; if (ret == -1 && tls_is_recoverable(error)) { /* wait for something to happen on the sock before looping back */ _tls_sock_wait(tls, error); continue; } /* success or fatal error */ break; } x509_res = SSL_get_verify_result(tls->ssl); xmpp_debug(tls->ctx, "tls", "Certificate verification %s", x509_res == X509_V_OK ? "passed" : "FAILED"); _tls_set_error(tls, error); return ret <= 0 ? 0 : 1; }
int ShowCerts(SSL* ssl) { X509 *cert; char *line; int value; cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */ if ( cert != NULL ) { printf("Server certificates:\n"); line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); printf("Subject: %s\n", line); free(line); /* free the malloc'ed string */ line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); printf("Issuer: %s\n", line); if(SSL_get_verify_result(ssl) == X509_V_OK) { printf("client verification with SSL_get_verify_result() succeeded.\n"); value = 1; } else{ printf("client verification with SSL_get_verify_result() fail.\n"); value = 0; } free(line); /* free the malloc'ed string */ X509_free(cert); /* free the malloc'ed certificate copy */ return value; } else printf("No certificates.\n"); return 0; }
uint32_t verify_signature (SSL *ssl, const char *hostname) { long ssl_verify_result; X509 *certificate; certificate = SSL_get_peer_certificate(ssl); if (NULL == certificate) { die ("Getting certificate failed\n"); } // In theory, we verify that the cert is valid ssl_verify_result = SSL_get_verify_result(ssl); switch (ssl_verify_result) { case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: die ("certificate is self signed\n"); case X509_V_OK: verb ("V: certificate verification passed\n"); break; default: die ("certification verification error: %ld\n", ssl_verify_result); } return 0; }
/** * Return the verification state of the peer chain. */ static int meth_getpeerverification(lua_State *L) { long err; p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection"); if (ssl->state != LSEC_STATE_CONNECTED) { lua_pushboolean(L, 0); lua_pushstring(L, "closed"); return 2; } err = SSL_get_verify_result(ssl->ssl); if (err == X509_V_OK) { lua_pushboolean(L, 1); return 1; } luaL_getmetatable(L, "SSL:Verify:Registry"); lua_pushlightuserdata(L, (void*)ssl->ssl); lua_gettable(L, -2); if (lua_isnil(L, -1)) lua_pushstring(L, X509_verify_cert_error_string(err)); else { /* Copy the table of errors to avoid modifications */ lua_newtable(L); copy_error_table(L, lua_gettop(L)-1, lua_gettop(L)); } lua_pushboolean(L, 0); lua_pushvalue(L, -2); return 2; }
static inline int tls_check_cert(shout_tls_t *tls) { X509 *cert = SSL_get_peer_certificate(tls->ssl); int cert_ok = 0; if (!cert) return SHOUTERR_TLSBADCERT; do { if (SSL_get_verify_result(tls->ssl) != X509_V_OK) break; #ifdef XXX_HAVE_X509_check_host if (X509_check_host(cert, tls->host, 0, 0, NULL) != 1) break; #else if (tls_check_host(cert, tls->host) != SHOUTERR_SUCCESS) break; #endif /* ok, all test passed... */ cert_ok = 1; } while (0); X509_free(cert); return cert_ok ? SHOUTERR_SUCCESS : SHOUTERR_TLSBADCERT; }
int lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type, union lws_tls_cert_info_results *buf, size_t len) { int rc = 0; X509 *x509; wsi = lws_get_network_wsi(wsi); x509 = SSL_get_peer_certificate(wsi->tls.ssl); if (!x509) { lwsl_debug("no peer cert\n"); return -1; } switch (type) { case LWS_TLS_CERT_INFO_VERIFIED: buf->verified = SSL_get_verify_result(wsi->tls.ssl) == X509_V_OK; break; default: rc = lws_tls_openssl_cert_info(x509, type, buf, len); } X509_free(x509); return rc; }
/** Called after the SSL connection and initial handshaking is complete. */ void ssl_connected(struct conn *c) { X509 *peer; SSL *ssl; #if SSL_DEBUG_LEVEL > 0 errputs(stdout, "SSL connection attempt completed. Resolving remote host name."); errprintf(stdout, "ssl_slave: ssl error code: %ld\n", bufferevent_get_openssl_error(c->remote_bev)); #endif bufferevent_set_timeouts(c->remote_bev, NULL, NULL); ssl = bufferevent_openssl_get_ssl(c->remote_bev); /* Successful accept. Log peer certificate, if any. */ if ((peer = SSL_get_peer_certificate(ssl))) { if (SSL_get_verify_result(ssl) == X509_V_OK) { char buf[256]; /* The client sent a certificate which verified OK */ X509_NAME_oneline(X509_get_subject_name(peer), buf, 256); errprintf(stdout, "SSL client certificate accepted: %s\n", buf); } } c->state = C_HOSTNAME_LOOKUP; c->resolver_req = evdns_getnameinfo(resolver, &c->remote_addr.addr, 0, address_resolved, c); }
void raise_error(SSL* ssl, int result) { char buf[512]; char msg[512]; const char* err_str; int err = errno; int ssl_err = SSL_get_error(ssl, result); int verify_err = SSL_get_verify_result(ssl); if(SSL_ERROR_SYSCALL == ssl_err) { snprintf(msg, sizeof(msg), "System error: %s - %d", strerror(err), err); } else if(SSL_ERROR_SSL == ssl_err) { if(X509_V_OK != verify_err) { err_str = X509_verify_cert_error_string(verify_err); snprintf(msg, sizeof(msg), "OpenSSL certificate verification error: %s - %d", err_str, verify_err); } else { err = ERR_get_error(); ERR_error_string_n(err, buf, sizeof(buf)); snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err); } } else { snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err); } ERR_clear_error(); rb_raise(eError, "%s", msg); }
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) { X509 *cert; int res; if (F->ssl == NULL) return 0; cert = SSL_get_peer_certificate((SSL *) F->ssl); if(cert != NULL) { res = SSL_get_verify_result((SSL *) F->ssl); if( res == X509_V_OK || res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { unsigned int certfp_length = RB_SSL_CERTFP_LEN; X509_digest(cert, EVP_sha1(), certfp, &certfp_length); X509_free(cert); return 1; } X509_free(cert); } return 0; }
void *handle_connection(void *arg) { char buf[1024]; BIO *bio = (BIO *)arg; X509 *peer; SSL *ssl; BIO_get_ssl(bio, &ssl); if (BIO_do_handshake(bio) <= 0) { printf("Failed handshake.\n"); ERR_print_errors_fp(stdout); return (void *)-1; } if ((peer = SSL_get_peer_certificate(ssl))) { if (SSL_get_verify_result(ssl) == X509_V_OK) { /* The client sent a certificate which verified OK */ printf("The client sent a certificate which verified OK\n"); } else { printf("The client sent a certificate which verified failed\n"); } } else { fprintf(stderr, "cannot get peer certificate\n"); } BIO_read(bio, buf, 1024); printf("Received: %s\n", buf); BIO_puts(bio, "Connection: Sending out Data on initial connection\n"); printf("Sent out data on connection\n"); BIO_free_all(bio); return (void *)0; }
void ShowCerts(SSL* ssl) { X509 *cert; char *line; cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */ if ( cert != NULL ) { printf("Client certificates:\n"); line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); printf("Subject: %s\n", line); free(line); line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); printf("Issuer: %s\n", line); if(SSL_get_verify_result(ssl) == X509_V_OK) { printf("client verification with SSL_get_verify_result() succeeded.\n"); } else{ printf("client verification with SSL_get_verify_result() fail.\n"); } free(line); X509_free(cert); } else printf("No certificates.\n"); }
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) { int len = 0; X509 *cert; int res; if (F->ssl == NULL) return 0; cert = SSL_get_peer_certificate((SSL *) F->ssl); if(cert == NULL) return 0; res = SSL_get_verify_result((SSL *) F->ssl); switch(res) { case X509_V_OK: case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: case X509_V_ERR_CERT_UNTRUSTED: len = make_certfp(cert, certfp, method); default: /* to silence code inspectors */ break; } X509_free(cert); return len; }
secure::error_t secure::verify(session_t session, const char *peername) { SSL *ssl = (SSL *)session; char peer_cn[256]; if(SSL_get_verify_result(ssl) != X509_V_OK) return secure::INVALID_CERTIFICATE; if(!peername) return secure::OK; X509 *peer = SSL_get_peer_certificate(ssl); if(!peer) return secure::INVALID_PEERNAME; X509_NAME_get_text_by_NID( X509_get_subject_name(peer), NID_commonName, peer_cn, sizeof(peer_cn)); if(!eq_case(peer_cn, peername)) return secure::INVALID_PEERNAME; return secure::OK; }
/** * Verify SSL handshake was valid. */ static int rd_kafka_transport_ssl_verify (rd_kafka_transport_t *rktrans) { long int rl; X509 *cert; cert = SSL_get_peer_certificate(rktrans->rktrans_ssl); X509_free(cert); if (!cert) { rd_kafka_broker_fail(rktrans->rktrans_rkb, LOG_ERR, RD_KAFKA_RESP_ERR__SSL, "Broker did not provide a certificate"); return -1; } if ((rl = SSL_get_verify_result(rktrans->rktrans_ssl)) != X509_V_OK) { rd_kafka_broker_fail(rktrans->rktrans_rkb, LOG_ERR, RD_KAFKA_RESP_ERR__SSL, "Failed to verify broker certificate: %s", X509_verify_cert_error_string(rl)); return -1; } rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY, "SSLVERIFY", "Broker SSL certificate verified"); return 0; }
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) { X509 *cert; int res; if (F->ssl == NULL) return 0; cert = SSL_get_peer_certificate((SSL *) F->ssl); if(cert != NULL) { res = SSL_get_verify_result((SSL *) F->ssl); if(res == X509_V_OK || res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN); return 1; } X509_free(cert); } return 0; }
static int new_client_session_cb(SSL *ssl, SSL_SESSION *session) { const char *myname = "new_client_session_cb"; TLS_SESS_STATE *TLScontext; VSTRING *session_data; /* * The cache name (if caching is enabled in tlsmgr(8)) and the cache ID * string for this session are stored in the TLScontext. It cannot be * null at this point. */ if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0) msg_panic("%s: null TLScontext in new session callback", myname); /* * We only get here if the cache_type is not empty. This callback is not * set unless caching is enabled and the cache_type is stored in the * server SSL context. */ if (TLScontext->cache_type == 0) msg_panic("%s: null session cache type in new session callback", myname); if (TLScontext->log_mask & TLS_LOG_CACHE) /* serverid already contains namaddrport information */ msg_info("save session %s to %s cache", TLScontext->serverid, TLScontext->cache_type); #if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L) /* * Ugly Hack: OpenSSL before 0.9.6a does not store the verify result in * sessions for the client side. We modify the session directly which is * version specific, but this bug is version specific, too. * * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before beta1 have this * bug, it has been fixed during development of 0.9.6a. The development * version of 0.9.7 can have this bug, too. It has been fixed on * 2000/11/29. */ session->verify_result = SSL_get_verify_result(TLScontext->con); #endif /* * Passivate and save the session object. Errors are non-fatal, since * caching is only an optimization. */ if ((session_data = tls_session_passivate(session)) != 0) { tls_mgr_update(TLScontext->cache_type, TLScontext->serverid, STR(session_data), LEN(session_data)); vstring_free(session_data); } /* * Clean up. */ SSL_SESSION_free(session); /* 200502 */ return (1); }
/** setup SSL on the connection */ static SSL* setup_ssl(SSL_CTX* ctx, int fd) { SSL* ssl; X509* x; int r; if(!ctx) return NULL; ssl = SSL_new(ctx); if(!ssl) ssl_err("could not SSL_new"); SSL_set_connect_state(ssl); (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(ssl, fd)) ssl_err("could not SSL_set_fd"); while(1) { ERR_clear_error(); if( (r=SSL_do_handshake(ssl)) == 1) break; r = SSL_get_error(ssl, r); if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) ssl_err("SSL handshake failed"); /* wants to be called again */ } /* check authenticity of server */ if(SSL_get_verify_result(ssl) != X509_V_OK) ssl_err("SSL verification failed"); x = SSL_get_peer_certificate(ssl); if(!x) ssl_err("Server presented no peer certificate"); X509_free(x); return ssl; }
/** * Verify peer certificate of a TLS connection * * @param tc TLS Connection * @param cn Returned common name * @param cn_size Size of cn string * * @return 0 if success, otherwise errorcode */ int tls_verify_cert(struct tls_conn *tc, char *cn, size_t cn_size) { X509 *peer; if (!tc || !cn || !cn_size) return EINVAL; /* Check the cert chain. The chain length is automatically checked by OpenSSL when we set the verify depth in the ctx */ peer = SSL_get_peer_certificate(tc->ssl); if (!peer) { DEBUG_WARNING("Unable to get peer certificate\n"); return EPROTO; } /* Get the common name */ X509_NAME_get_text_by_NID(X509_get_subject_name(peer), NID_commonName, cn, (int)cn_size); /* todo get valid start/end date */ if (SSL_get_verify_result(tc->ssl) != X509_V_OK) { DEBUG_WARNING("Certificate doesn't verify\n"); return EPROTO; } return 0; }
void SslConnection::handleHandshake(const asio_error_code& error) { SSL* ssl = 0; #if BOOST_VERSION >= 104700 ssl = socket_.native_handle(); #else //BOOST_VERSION < 104700 if(socket_.impl()) ssl = socket_.impl()->ssl; #endif //BOOST_VERSION >= 104700 if (!error) { Connection::start(); // ssl handle must be registered after calling start(), since start() // resets the structs registerSslHandle(ssl); } else { long sslState = SSL_get_verify_result(ssl); if (sslState != X509_V_OK) { LOG_INFO("OpenSSL error: " << X509_verify_cert_error_string(sslState)); } LOG_INFO("SSL handshake error: " << error.message()); ConnectionManager_.stop(shared_from_this()); } }
long sycSSL_get_verify_result(SSL *ssl) { long result; Debug1("SSL_get_verify_result(%p)", ssl); result = SSL_get_verify_result(ssl); Debug1("SSL_get_verify_result() -> %lx", result); return result; }
long TLS_SOCKET_CLASS::postConnectionCheck(SSL* ssl_ptr) // DESCRIPTION : Performs checks after the connection is made to insure all is well. // PRECONDITIONS : // POSTCONDITIONS : // EXCEPTIONS : // NOTES : //<<=========================================================================== { long result; if (checkRemoteCertificateM) { X509* cert_ptr; // No error will be generated by the OpenSSL library during the connection if the client // does not send a certificate, even if one was requested. We check here to make sure the // certificate was sent if we required it. If it was sent, OpenSSL will have verified it, // so we don't need to do that here. // Another thing that can be checked is to make sure that the certificate is for the node // we think we are talking to, since the library will validate any certificate that is // signed by a trusted Certificate Authority. DVT does not perform this check since a // failure here is not a connectivity problem but just a matter of getting the correct // certificate installed on the unit under test. // To fully meet the IHE requirements, the certificate should be checked to make sure the // sender is on a list of authorized nodes. This is where that check would be performed. // DVT does not support this functionality. // get the peer's certificate cert_ptr = SSL_get_peer_certificate(ssl_ptr); if (cert_ptr == NULL) { if (loggerM_ptr) { loggerM_ptr->text(LOG_ERROR, 1, "Secure Socket - Error peer certificate was not received"); } return X509_V_ERR_APPLICATION_VERIFICATION; } X509_free(cert_ptr); // get the result of the OpenSSL verification result = SSL_get_verify_result(ssl_ptr); if (result != X509_V_OK) { openSslError("in post connection check"); } return result; } else { // not checking remote certificates, nothing to do here return X509_V_OK; } }
static void log_verify_details(as_socket* sock) { long vr = SSL_get_verify_result(sock->ssl); if (vr != X509_V_OK) { as_log_info("TLS verify result: %s", X509_verify_cert_error_string(vr)); } }
bool OpenSSLBase::handshake() { doTLSOperation( TLSHandshake ); if( !m_secure ) return true; int res = SSL_get_verify_result( m_ssl ); if( res != X509_V_OK ) m_certInfo.status = CertInvalid; else m_certInfo.status = CertOk; X509* peer = SSL_get_peer_certificate( m_ssl ); if( peer ) { char peer_CN[256]; X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) ); m_certInfo.issuer = peer_CN; X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) ); m_certInfo.server = peer_CN; m_certInfo.date_from = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notBefore->data) ); m_certInfo.date_to = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notAfter->data) ); std::string p( peer_CN ); std::transform( p.begin(), p.end(), p.begin(), tolower ); if( p != m_server ) m_certInfo.status |= CertWrongPeer; if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 ) m_certInfo.status |= CertNotActive; if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 ) m_certInfo.status |= CertExpired; } else { m_certInfo.status = CertInvalid; } const char* tmp; tmp = SSL_get_cipher_name( m_ssl ); if( tmp ) m_certInfo.cipher = tmp; tmp = SSL_get_cipher_version( m_ssl ); if( tmp ) m_certInfo.protocol = tmp; tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) ); if( tmp ) m_certInfo.compression = tmp; m_valid = true; m_handler->handleHandshakeResult( this, true, m_certInfo ); return true; }
int main() { SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method()); if (ctx == NULL) { printf("SSL_CTX_new err func:%s\n reaseon:%s", ERR_func_error_string(ERR_get_error()), ERR_reason_error_string(ERR_get_error())); exit(1); } //加载可信任证书库 if (0 == SSL_CTX_load_verify_locations(ctx, "./push_cer.pem", NULL)) { printf("err func:%s\n reaseon:%s", ERR_func_error_string(ERR_get_error()), ERR_reason_error_string(ERR_get_error())); ERR_print_errors_fp(stdout); exit(1); } //set BIO BIO *bio = BIO_new_ssl_connect(ctx); if (bio == NULL) { printf("err func:%s\n", ERR_func_error_string(ERR_get_error())); ERR_print_errors_fp(stdout); exit(1); } SSL *ssl; BIO_get_ssl(bio, &ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); //open safe connect BIO_set_conn_hostname(bio, "gateway.sandbox.push.apple.com:2195"); //verify connect ok if (BIO_do_connect(bio) <= 0) { ERR_print_errors_fp(stdout); exit(1); } if (SSL_get_verify_result(ssl) != X509_V_OK) { printf("SSL_get_verify_result not success\n"); } char buf[MAXBUF]; char *json = "{\"aps\":{\"badge\":123}}"; sendPayload(bio, token, json, strlen(json)); int ret = BIO_read(bio, buf, MAXBUF); if (ret <= 0) { printf("BIO_read return 0\n"); } SSL_CTX_free(ctx); BIO_free_all(bio); return 0; }
int ssl_open(http_t *client, char *msg) { char buf[256]; const char *sn; X509 *cert; if (!client->ssl_enabled) return tcp_init(&client->tcp, msg); tcp_set_port(&client->tcp, HTTPS_DEFAULT_PORT); DO(tcp_init(&client->tcp, msg)); logit(LOG_INFO, "%s, initiating HTTPS ...", msg); client->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); if (!client->ssl_ctx) return RC_HTTPS_OUT_OF_MEMORY; /* POODLE, only allow TLSv1.x or later */ SSL_CTX_set_options(client->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); SSL_CTX_set_verify(client->ssl_ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_verify_depth(client->ssl_ctx, 150); /* Try to figure out location of trusted CA certs on system */ if (ssl_set_ca_location(client)) return RC_HTTPS_NO_TRUSTED_CA_STORE; client->ssl = SSL_new(client->ssl_ctx); if (!client->ssl) return RC_HTTPS_OUT_OF_MEMORY; /* SSL SNI support: tell the servername we want to speak to */ http_get_remote_name(client, &sn); if (!SSL_set_tlsext_host_name(client->ssl, sn)) return RC_HTTPS_SNI_ERROR; SSL_set_fd(client->ssl, client->tcp.ip.socket); if (-1 == SSL_connect(client->ssl)) return RC_HTTPS_FAILED_CONNECT; logit(LOG_INFO, "SSL connection using %s", SSL_get_cipher(client->ssl)); cert = SSL_get_peer_certificate(client->ssl); if (!cert) return RC_HTTPS_FAILED_GETTING_CERT; if (SSL_get_verify_result(client->ssl) == X509_V_OK) logit(LOG_DEBUG, "Certificate OK"); X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); logit(LOG_INFO, "SSL server cert subject: %s", buf); X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); logit(LOG_INFO, "SSL server cert issuer: %s", buf); X509_free(cert); return 0; }
boost::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const { int verifyResult = SSL_get_verify_result(handle_); if (verifyResult != X509_V_OK) { return boost::make_shared<CertificateVerificationError>(getVerificationErrorTypeForResult(verifyResult)); } else { return boost::shared_ptr<CertificateVerificationError>(); } }