Re: Client authentication

[Carlos Serrao]

Thanks for your contribution,   but the examples are quite similar to my implementation and therefore I still have the same problem... No client authentication.   I'm starting to suspect of my client and server certificates. Perhaps its is something wrong with them...   ... can you give some help with them?   I'll describe the steps I've used to create them:   1. I created a self signed CA:     openssl req -new -x509 -keyout cakey.pem -out cacert.pem   2. Created a client and key certificate using:     openssl req -new -keyout clientkey.pem -out newreq.pem -days 365     cat newreq.pem clientkey.pem > new.pem     openssl ca -policy policy_anything -out clientcert.pem -infiles new.pem   3. Created a server and key certificate using:     openssl req -new -keyout serverkey.pem -out newreq.pem -days 365     cat newreq.pem serverkey.pem > new.pem     openssl ca -policy policy_anything -out servercert.pem -infiles new.pem   I use clientcert.pem and clientkey.pem on the client part of the code and servercert.pem and serverkey.pem to the server part.   I'm I doing some error ? Are these certificates ok ?   Thanks for your help,...     Best regards,       _____________________________________________________________ Carlos Serrão                          [EMAIL PROTECTED]                                  http://adetti.iscte.pt/~cjcs                                  DCTI - IS/IT Department        IS/IT Research and Development ADETTI/ISCTE - Av.Forcas Armadas     1600-082 LISBOA Portugal Tel.: +351217903064/+351217903901         Fax:  +351217935300     ----- Original Message ----- From: Robert Sandilands To: [EMAIL PROTECTED] Sent: Monday, October 02, 2000 9:29 AM Subject: Re: Client authentication Look at http://www.aquasecurity.com/protect/other/sslcli.cpp and http://www.aquasecurity.com/protect/other/sslsrv.cpp Robert Sandilands > Carlos Serrao wrote: > > Hi all, > > can someone provide me with a good example how to handle client > authentication on a SSL connection. I've already take a look at the > examples in the openssl distribution and it didn't help much. > > On my code I'm doing the following: > > 1. Using openssl I've created a self-signed CA. > 2. After, using this CA, I created two certificates: >     client_cert.pem with client_key.pem >     server_cert.pem with server_key.pem > > 3. Then I did the following code: > > CLIENT: >   SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) >   SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) >   SSL_CTX_check_private_key(ctx) > > in which CERTF = client_cert.pem and KEYF = client_key.pem > > SERVER: >     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, > NULL); > >     SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) >     SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) >     SSL_CTX_check_private_key(ctx) >     SSL_CTX_load_verify_locations(ctx, CAFILE, NULL); >     SSL_CTX_set_default_verify_paths(ctx); >     SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAFILE)); > in which CERTF = server_cert.pem and KEYF = server_key.pem > > I don't know what to put in CA_FILE...? > > The server allways respond that the client doesn't has a > certificate... > > > What AM I DOING WRONG ??? > > > Can someone help me ? > > > Thanks in advance. > > Best regards, > > > _____________________________________________________________ > Carlos Serrão                          [EMAIL PROTECTED] >                                  http://adetti.iscte.pt/~cjcs > > DCTI - IS/IT Department        IS/IT Research and Development > ADETTI/ISCTE - Av.Forcas Armadas     1600-082 LISBOA Portugal > Tel.: +351217903064/+351217903901         Fax:  +351217935300 > > > ______________________________________________________________________ OpenSSL Project                                 http://www.openssl.org User Support Mailing List                    [EMAIL PROTECTED] Automated List Manager                           [EMAIL PROTECTED]