EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Handshake Failuer

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#30931
Posted: 10/09/2014 08:26:28
by Levent Gökalp (Basic support level)
Joined: 10/01/2014
Posts: 10

Hi Ken,

I use OpenSSL command from linux as a client and then I get error "SSL handshake failure" from server side.

Server use .pem (certificate) and .pkcs8 (private key).

Client Side:

140615767537312:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
140615767537312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

depth=0 C = US, CN = SSL/TLS Server Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, CN = SSL/TLS Server Certificate
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, CN = SSL/TLS Server Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
#30946
Posted: 10/09/2014 14:17:25
by Ken Ivanov (EldoS Corp.)

Hi Levent,

Thank you for doing that check for us.

According to the OpenSSL trace, it can't establish the validity of the certificate chain provided by the server. Please re-check that the certificate you are attaching to the server is known and trusted (explicitly or implicitly) in OpenSSL settings.

If you use full-featured chain validation routines on OpenSSL side, you might also need to set up the server to provide clients with complete certificate chain. This can be done by loading the whole chain into the certificate storage object assigned to the CertStorage property of the SSL server and setting the server's ForceCertificateChain property to true.

Ken
#30958
Posted: 10/10/2014 09:14:20
by Levent Gökalp (Basic support level)
Joined: 10/01/2014
Posts: 10

Hi Ken,

Thanks for informations.

Let me know which class should I use for store CA certificate.

Must I know to use "SBX509.TElX509Certificate", "SBWinCertStorage.TElWinCertStorage" classes or what you to suggest.

Do you have any sample code for use all certificate and key(Private key, Certificate and CA(root)).
#30959
Posted: 10/10/2014 09:18:55
by Vsevolod Ievgiienko (EldoS Corp.)

You can load all needed certificates using TElX509Certificate class, then put them to an instance of TElMemoryCertStorage and use with SSL server as Ken wrote above.
#30961
Posted: 10/10/2014 09:34:29
by Eugene Mayevski (EldoS Corp.)

CA certificate(s) usually come in a separate file(s) from the main certificate. So you first load the main certificate and its key to TElX509Certificate and add it to TElMemoryCertStorage. The answer to the question of how to load the CA certificates depends on the format in which you have them.


Sincerely yours
Eugene Mayevski
#30965
Posted: 10/13/2014 06:11:11
by Levent Gökalp (Basic support level)
Joined: 10/01/2014
Posts: 10

Thanks,

Sorry I have no idea to create a sample code for certificates.

Can you help me to store certificate in server side.

I have a ".pkcs8" private key, ".pem" and "CA.pem" certificates.

the code:


Code
bool KeyLoaded = false;
         OpenDlg.FileName = "";
         OpenDlg.Title = "Select certificate file";
            OpenDlg.Filter = "PEM-encoded certificate (*.pem)|*.pem|DER-encoded certificate (*.cer)|*.cer|PFX-encoded certificate (*.pfx)|*.pfx|All Files (*.*)|*.*";
         if (OpenDlg.ShowDialog(this) != DialogResult.OK)
            return;

         FileStream F = new FileStream(OpenDlg.FileName, FileMode.Open);
         byte [] Buf = new byte[F.Length];
         F.Read(Buf, 0, (int)F.Length);
         F.Close();

         int Res = 0;
         SBX509.TElX509Certificate Cert = new SBX509.TElX509Certificate(null);

            /**********/
            //SBWinCertStorage.TElWinCertStorage xc = new SBWinCertStorage.TElWinCertStorage();
            //xc.LoadFromBufferPEM();
            /**********/
         if (OpenDlg.FilterIndex == 3)
            Res = Cert.LoadFromBufferPFX(Buf, RequestPassphrase());
         else if (OpenDlg.FilterIndex == 1)
            Res = Cert.LoadFromBufferPEM(Buf, "");
         else if (OpenDlg.FilterIndex == 2)
            Cert.LoadFromBuffer(Buf);
         else
            Res = -1;

         if ((Res != 0) || (Cert.CertificateSize == 0))
         {            
            MessageBox.Show("Error loading the certificate", "SSL Sample", MessageBoxButtons.OK, MessageBoxIcon.Error);
            return;
         }

         int Sz = 0;
         Buf = null;
         Cert.SaveKeyToBuffer(ref Buf, ref Sz);

         if (Sz == 0)
         {
            OpenDlg.Title = "Select the corresponding private key file";
            OpenDlg.Filter = "PEM-encoded key (*.pem)|*.PEM|DER-encoded key (*.key)|*.key|All Files (*.*)|*.*";
            if (OpenDlg.ShowDialog(this) == DialogResult.OK)
            {
               F = new FileStream(OpenDlg.FileName, FileMode.Open, FileAccess.Read, FileShare.Read);
               Buf = new byte[F.Length];
               F.Read(Buf, 0, (int)F.Length);
               F.Close();

               if (OpenDlg.FilterIndex == 1)
                  Cert.LoadKeyFromBufferPEM(Buf, RequestPassphrase());
               else
                  Cert.LoadKeyFromBuffer(Buf);

               KeyLoaded = true;
            }
         }
         else
            KeyLoaded = true;

         if (!KeyLoaded)
            MessageBox.Show("Private key was not loaded. Certificate added without private key.", "SSL Sample", MessageBoxButtons.OK, MessageBoxIcon.Error);

         if (!FCertStorage.IsPresent(Cert))
            FCertStorage.Add(Cert, true);


***For ".pkcs8" and "CA.pem" certificate how can I use for the way.
#30966
Posted: 10/13/2014 06:20:24
by Eugene Mayevski (EldoS Corp.)

Let's continue in HelpDesk ( https://www.eldos.com/helpdesk/ ) please. I have created a new support ticket based on your above message. You will see your (and only your) support tickets by following this URL. You will also get e-mail notifications about updates related to your support ticket.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 2139 times

Number of guests: 11, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!