[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[Libevent-users] Certificate validation problem when using libevent

To: libevent-users@xxxxxxxxxxxxx
Subject: [Libevent-users] Certificate validation problem when using libevent
From: Björn K. <bjoernk2@xxxxxxxxxxxxxx>
Date: Fri, 8 Mar 2013 20:27:32 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: libevent-users-outgoing@xxxxxxxx
Delivered-to: libevent-users@xxxxxxxx
Delivery-date: Fri, 08 Mar 2013 14:27:40 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=SJ4TsjikokUODX5ZAniyYAL9c34r7T7oo3BJZIsfwRg=; b=AxhBNi/7Or1qz4KZoBmMeymCPWZFYeq0JFByyJ7GLfHgl24udhBqs5KrW1SL4fESGb 0NS1t8Vfgz6MI49RTrpST5JWTo5eSuPSPHmm+l6XTqu/Jx+gTM5tGQxvAKhFd0tzt3pn 5Jnng0KGKwL9qs/b1RQmp4wAoBIILxBXOuwgwKRefj4kPzSZvR920eo4HjS2lw4+53Nw HQ8qdBpv1g3CWKTvLZv9us4YsDfuiSW9Vje6d0B/u7Jc/AfDxHwGOs8DyI3u+0DhVorL OB1QdZEx20l2IN8pjPAt8h7agrL48/CJWJenyZwuZOjhOBpF6o6pa2CMc+yWB9QIiEAU JJMw==
Reply-to: libevent-users@xxxxxxxxxxxxx
Sender: owner-libevent-users@xxxxxxxxxxxxx

Hello,

I have a weird problem with the program below.
I compile it on Mac OS 10.8.2 and if I link it against the default
OpenSSL version (0.9.8) it ignores the results of the verify callback.
If I link it against the newest OpenSSL version available via Mac
Ports, it works as expected (if the certificate is not valid, it
aborts the connection immediately).

If I test both versions with a programm not using libevent (and with
blocking calls) it works as expected.
I think the problem is hidden in the combination of libevent and the
default OpenSSL version, but I don't know where to look or even if it
is libevent or OpenSSL related. (I tried libevent 2.0.21 and an alpha
version.)

I think it is ok to use the Mac Ports OpenSSL version for developing
purposes but later it should work without having to install it.

Regards
Björn


#include <event2/dns.h>
#include <event2/bufferevent.h>
#include <event2/bufferevent_ssl.h>
#include <event2/buffer.h>
#include <event2/util.h>
#include <event2/event.h>

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/x509.h>
#include <openssl/hmac.h>

#include <stdio.h>

void readcb(struct bufferevent *bev, void *ptr)
{
    char buf[1024];
    int n;
    struct evbuffer *input = bufferevent_get_input(bev);
    while ((n = evbuffer_remove(input, buf, sizeof(buf))) > 0) {
        fwrite(buf, 1, n, stdout);
    }
}

void eventcb(struct bufferevent *bev, short events, void *ptr)
{
    SSL *ssl = bufferevent_openssl_get_ssl(bev);
    X509 *peer;
    if (events & BEV_EVENT_CONNECTED) {
        printf("Connect okay\n");
        if ((peer = SSL_get_peer_certificate(ssl)))
        {
            if (SSL_get_verify_result(ssl) == X509_V_OK)
            {
                /* The client sent a certificate which verified OK */
                printf("ok\n");
            }
        }
    } else if (events & (BEV_EVENT_ERROR|BEV_EVENT_EOF)) {
        struct event_base *base = ptr;
        if (events & BEV_EVENT_ERROR) {
            int err = bufferevent_socket_get_dns_error(bev);
            if (err)
                printf("DNS error: %s\n", evutil_gai_strerror(err));
        }

        bufferevent_free(bev);
        event_base_loopexit(base, NULL);
    }
}

static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {

    printf("preverify_ok: %d\n", preverify_ok);
    return preverify_ok;

}

int main(int argc, char **argv)
{
    struct event_base *base;
    struct evdns_base *dns_base;
    struct bufferevent *bev;
    SSL_CTX *ssl_ctx;
    SSL *ssl;

    SSL_load_error_strings();
    SSL_library_init();
    RAND_poll();

    ssl_ctx = SSL_CTX_new(SSLv3_method());

    SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, verify_callback);

    if (SSL_CTX_load_verify_locations(ssl_ctx, "root.crt", NULL) !=
1){ fprintf(stderr, "Couldn't load certificate trust store.\n");
        return -1;
    }

    ssl = SSL_new(ssl_ctx);

    base = event_base_new();
    dns_base = evdns_base_new(base, 1);

    bev = bufferevent_openssl_socket_new(base, -1, ssl,
BUFFEREVENT_SSL_CONNECTING, BEV_OPT_CLOSE_ON_FREE);
    bufferevent_setcb(bev, readcb, NULL, eventcb, base);
    bufferevent_enable(bev, EV_READ|EV_WRITE);

    evbuffer_add_printf(bufferevent_get_output(bev), "GET /\r\n");
    bufferevent_socket_connect_hostname(
                                        bev, dns_base, AF_UNSPEC,
"www.google.com", 443);
    event_base_dispatch(base);

    return 0;
}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.

Prev by Author: [Libevent-users] remove some bytes from the end of the evbuffer
Next by Author: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Previous by thread: [Libevent-users] libpropeller - high level multithreaded library built with libevent
Next by thread: [Libevent-users] Creating a repeater/forwarder
Index(es):
- Author
- Thread