TLS证书验证失败

Question

我需要有一个代码，执行双向认证(客户端和服务器相互认证)。我的服务器是TCP服务器。我打算增加TLS的安全性。

https://github.com/ospaarmann/exdgraph/wiki/TLS-client-authentication i使用上面的链接生成了客户端和服务器、CA证书和密钥文件。

服务器端代码：

    {
    SSL_CTX_set_options(
            ret, 
            SSL_OP_NO_SSLv2 | 
            SSL_OP_NO_SSLv3 |
            SSL_OP_NO_COMPRESSION
        );

        SSL_CTX_set_verify(
            ret, 
            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
            NULL
        );


        if (SSL_CTX_load_verify_locations(ret, NULL, "/home/ml5/tls_bio/MyRootCA.pem") == 0) {
                    fprintf(stderr, "Failed to load root certificates\n");
                    SSL_CTX_free(ret);
                    return NULL;
            }

        /*
         * We won't set any verification settings this time. Instead
         * we need to give OpenSSL our certificate and private key.
         */
        if (SSL_CTX_use_certificate_chain_file(ret, "MyServer.pem") != 1) {
            ssl_perror("SSL_CTX_use_certificate_file");
            SSL_CTX_free(ret);
            return NULL;
        }

        if (SSL_CTX_use_PrivateKey_file(ret, "MyServer.key", SSL_FILETYPE_PEM) != 1) {
            ssl_perror("SSL_CTX_use_PrivateKey_file");
            SSL_CTX_free(ret);
            return NULL;
        }

        printf("Loaded root certificates\n");
        /*
         * Check that the certificate (public key) and private key match.
         */
        if (SSL_CTX_check_private_key(ret) != 1) {
            fprintf(stderr, "certificate and private key do not match!\n");
            SSL_CTX_free(ret);
            return NULL;
        }
    }

客户端代码：====

SSL_CTX *ret;

/* create a new SSL context */
ret = SSL_CTX_new(SSLv23_client_method( ));

if (ret == NULL) {
    fprintf(stderr, "SSL_CTX_new failed!\n");
    return NULL;
}

/* 
 * set our desired options 
 *
 * We don't want to talk to old SSLv2 or SSLv3 servers because
 * these protocols have security issues that could lead to the
 * connection being compromised. 
 *
 * Return value is the new set of options after adding these 
 * (we don't care).
 */
SSL_CTX_set_options(
    ret, 
    SSL_OP_NO_SSLv2 | 
    SSL_OP_NO_SSLv3 |
    SSL_OP_NO_COMPRESSION
);

/*
 * set up certificate verification
 *
 * We want the verification to fail if the peer doesn't 
 * offer any certificate. Otherwise it's easy to impersonate
 * a legitimate server just by offering no certificate.
 *
 * No error checking, not because I'm being sloppy, but because
 * these functions don't return error information.
 */
SSL_CTX_set_verify(
    ret, 
    SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
    NULL
);
SSL_CTX_set_verify_depth(ret, 4);

/*
 * Point our context at the root certificates.
 * This may vary depending on your system.
 */
if (SSL_CTX_load_verify_locations(ret, NULL, "/home/ml5/tls_bio_l1/MyRootCA.pem") == 0) {
    fprintf(stderr, "Failed to load root certificates\n");
    SSL_CTX_free(ret);  
    return NULL;
}

/*
 * We won't set any verification settings this time. Instead
 * we need to give OpenSSL our certificate and private key.
 */
if (SSL_CTX_use_certificate_chain_file(ret, "MyClient.pem") != 1) {
    SSL_CTX_free(ret);
    return NULL;
}

if (SSL_CTX_use_PrivateKey_file(ret, "MyClient.key", SSL_FILETYPE_PEM) != 1) {
    SSL_CTX_free(ret);
    return NULL;
}

printf("Loaded root certificates\n");
/*
 * Check that the certificate (public key) and private key match.
 */
if (SSL_CTX_check_private_key(ret) != 1) {
    fprintf(stderr, "certificate and private key do not match!\n");
    SSL_CTX_free(ret);
    return NULL;
}

我不确定出了什么问题，因为当我启动服务器和客户端时，在客户端得到如下所示的错误:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate验证失败:错误:14090086: BIO_do_connect

如果我在客户端和服务器端有自己的验证回调，当然双向认证会成功SSL_CTX_set_cert_verify_callback(ctx，always_true_callback，NULL)；

但我认为这不是应该这样做的。在这方面的任何帮助，以解决上面显示的错误，将非常感谢。

Answer 1

只对那些来到这里的人。这个问题与我如何生成CA证书有关，客户端/服务器证书。一旦我纠正了这些，它就开始工作了。