Openssl X509 Error Codes
Contents |
[-attime timestamp] [-check_ss_sig] [-CRLfile file] [-crl_download] [-crl_check] [-crl_check_all] [-engine id] [-explicit_policy] [-extended_crl] [-ignore_critical] [-inhibit_any] x509_store_ctx_get_error [-inhibit_map] [-no_check_time] [-partial_chain] [-policy arg] [-policy_check] [-policy_print] [-purpose purpose]
X509_v_ok
[-suiteB_128] [-suiteB_128_only] [-suiteB_192] [-trusted_first] [-no_alt_chains] [-untrusted file] [-trusted file] [-use_deltas] [-verbose] [-auth_level level] [-verify_depth x509_store_ctx_init num] [-verify_email email] [-verify_hostname hostname] [-verify_ip ip] [-verify_name name] [-x509_strict] [-show_chain] [-] [certificates] DESCRIPTION The verify command verifies certificate chains. COMMAND OPTIONS -help
X509_verify_cert Example
Print out a usage message. -CAfile file A file of trusted certificates. The file should contain one or more certificates in PEM format. -CApath directory A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them x509_v_err_unable_to_get_issuer_cert_locally of this form ("hash" is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates. -no-CAfile Do not load the trusted CA certificates from the default file location -no-CApath Do not load the trusted CA certificates from the default directory location -allow_proxy_certs Allow the verification of proxy certificates -attime timestamp Perform validation checks using time specified by timestamp and not current system time. timestamp is the number of seconds since 01.01.1970 (UNIX time). -check_ss_sig Verify the signature on the self-signed root CA. This is disabled by default because it doesn't add any security. -CRLfile file The file should contain one or more CRLs in PEM format. This option can be specified more than once to include
or set certificate verification status information Synopsis #include
X509_store_ctx_get_error Example
X509_verify_cert() has indicated an error or in a verification callback to
X509_v_err_self_signed_cert_in_chain
determine the nature of an error. X509_STORE_CTX_get_error() returns the error code of ctx, see the ERROR openssl error codes list CODES section for a full description of all error codes. X509_STORE_CTX_set_error() sets the error code of ctx to s. For example it might be used in https://www.openssl.org/docs/manmaster/apps/verify.html a verification callback to set an error based on additional checks. X509_STORE_CTX_get_error_depth() returns the depth of the error. This is a non-negative integer representing where in the certificate chain the error occurred. If it is zero it occured in the end entity certificate, one if it is the certificate which signed the https://linux.die.net/man/3/x509_verify_cert_error_string end entity certificate and so on. X509_STORE_CTX_get_current_cert() returns the certificate in ctx which caused the error or NULL if no certificate is relevant. X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous call to X509_verify_cert() is successful. If the call to X509_verify_cert() is not successful the returned chain may be incomplete or invalid. The returned chain persists after the ctx structure is freed, when it is no longer needed it should be free up using: sk_X509_pop_free(chain, X509_free);X509_verify_cert_error_string() returns a human readable error string for verification error n. Return Values X509_STORE_CTX_get_error() returns X509_V_OK or an error code. X509_STORE_CTX_get_error_depth() returns a non-negative error depth. X509_STORE_CTX_get_current_cert() returns the cerificate which caused the error or NULL if no certificate is relevant to the error. X509_verify_cert_error_string() returns a human readable error string for verification error n. Error Codes A list of error codes and messages is shown below. Some of the error codes are defined but currently never returned: these are
Review Events [ September 27, 2016 ] http://movingpackets.net/2015/03/16/five-essential-openssl-troubleshooting-commands/ Unwrapping Tangled Device Configurations - A10 Networks Edition A10 Networks [ September 13, 2016 ] This Week: Solarwinds ThwackCamp 2016 Networking Search for: HomeNetworkingFive Essential OpenSSL Troubleshooting Commands Five Essential OpenSSL Troubleshooting Commands March 16, 2015 John Herbert Networking, Software, Tips 2 Troubleshooting SSL certificates and connections? Here are error codes five handy openssl commands that every network engineer should be able to use. Bookmark this - you never know when it will come in handy!1. Check the Connection openssl s_client -showcerts -connect www.microsoft.com:443 12 openssl s_client -showcerts -connect www.microsoft.com:443This command opens an SSL connection to the specified site openssl x509 error and displays the entire certificate chain as well. Here’s an abridged version of the sample output: MBP$ openssl s_client -showcerts -connect www.microsoft.com:443 CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2= Washington/businessCategory=Private Organization/ serialNumber=600413485/C=US/postalCode=98052/ST=Washington/ L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/ OU=MSCOM/CN=www.microsoft.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/ CN=Symantec Class 3 EV SSL CA - G3 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/ CN=Symantec Class 3 EV SSL CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Cl