Exception running boost asio ssl example

Asked 23/6, 2011 at 10:43 Answered 29/10, 2023 at 1:31

I'm trying to run the SSL examples from boost::asio and I'm getting an "Invalid argument" exception when I run them. I'm on Linux x86_64.

http://www.boost.org/doc/libs/1_46_1/doc/html/boost_asio/example/ssl/client.cpp

http://www.boost.org/doc/libs/1_46_1/doc/html/boost_asio/example/ssl/server.cpp

Compiled with:

g++ server.cpp -o server -lboost_system -lssl
g++ client.cpp -o client -lboost_system -lssl

Run like:

$ ./server 
Usage: server <port>
$ ./server 10000
Exception: Invalid argument
$ ./server 1000
Exception: Permission denied
$ sudo ./server 1000
Exception: Invalid argument

Not sure what the problem is :( Any help would be greatly appreciated.

Thanks!

Picard answered 23/6, 2011 at 10:43 Comment(0)

OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux:

//Generate a private key

openssl genrsa -des3 -out server.key 1024

//Generate Certificate signing request

openssl req -new -key server.key -out server.csr

//Sign certificate with private key

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

//Remove password requirement (needed for example)

cp server.key server.key.secure
openssl rsa -in server.key.secure -out server.key

//Generate dhparam file

openssl dhparam -out dh512.pem 512

Once you've done that, you need to change the filenames in server.cpp and client.cpp.

server.cpp

context_.use_certificate_chain_file("server.crt"); 
context_.use_private_key_file("server.key", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("dh512.pem");

client.cpp

ctx.load_verify_file("server.crt");

Then it should all work!

Picard answered 6/12, 2011 at 22:22 Comment(3)

Works perfeclty, -des3 option can be ommited, so we do noet need removing password. All files are in pem format so we can create single server.pem file by combining server.crt server.key and dh512.pem. – Hypertonic 15/10, 2012 at 18:41

By the way, in the step "Generate Certificate signing request" some questions are asked. From panoptic.com/wiki/aolserver/… I was able to know that the only required information is "Common Name" which must match the hostname. – Batruk 8/5, 2014 at 10:11

I leave this comment, because someone will face an error message like me. ( Handshake failed: asio.ssl:336077172 ). this means ( Handshake failed: dh key too small ). you can check this message in error.message(); and it's because of dh512.pem. 512 bit is too small. recently the limitation is changed, we should use over 512 bit. > openssl dhparam -out dh1024.pem 1024 – Halting 16/7, 2015 at 1:36

Execute the tests again with strace to see which syscall gets the EINVAL, as a bonus you'll get to see the args for the failing call. It's likely part of the security context setup that's failing, unless you have the right files and data from the example:

context_.use_certificate_chain_file("server.pem");
context_.use_private_key_file("server.pem", boost::asio::ssl::context::pem);
context_.use_tmp_dh_file("dh512.pem");

You were getting EPERM because you were trying to bind to a privileged TCP port (one whose value is less than 1024). That's why ./server 10000 does not get EPERM.

Hessian answered 29/10, 2011 at 5:3 Comment(1)

Thanks for the reply, There are no EPERM errors in the strace output, however there is: open("server.pem", O_RDONLY) = -1 ENOENT (No such file or directory) right before the exception printing. Googling further I think I may have to create some SSL certificates. Which makes sense :P Thanks for the strace tip, I always forget about it! – Picard 8/11, 2011 at 6:37

When following the answer of @Shootfast an error appered: 'bad SSL configuration: use_certificate_chain_file: ee key too small'

Changing the first line:

openssl genrsa -des3 -out server.key 1024

to:

openssl genrsa -des3 -out server.key 2048

fixed it for me.

After that I got the error: 'bad SSL configuration: use_private_key_file: no start line' the reason and solution to this is explained here: solution (It is more or less the reason for the last command of @Shootfast answer.)

Mikael answered 21/4, 2021 at 8:5 Comment(0)

For future readers; and for people running into connection problems (e.g. unexpected close on client): make sure to set the host name on the client ssl socket:

sock.set_verify_callback(ssl::host_name_verification("host.name"));

Whoops answered 29/10, 2023 at 1:31 Comment(0)

Recommended topics

Hot tags