Hi Dave, Nevere mind, I think I got the answer.Server certificate and client certificate are exchanged in handshake.
Instead of giving the same root certificate cacert.pem I have given clientcert.pem and servercert.pem in soap_ssl_client_context() and soap_ssl_server_context() calls respectively. This time Handshake is failed with below error at client side:"error:14090086:lib(20):func(144):reason(134)" and server side "error:14094418:lib(20):func(148):reason(1048)" But both client certificate and server certificate are generated from root certificate "cacert.pem" below comands. Command:openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem -days 1095 and Command:openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem -days 1095 Please provide if you have any fix. Thanks, Pradeep. pradeepreddy wrote: > > Thank you Dave, this is really very informative answer. > Now the communication is working.Following chages were made in gsoap > stdsoap.cpp file before SSL_accept() call. > //Code-start: > u_long blocking = 0; \ > ioctlsocket(fd, FIONBIO, &blocking); > //code-ends. > > This communication happened with CLIENT_AUTHENTICATION is set to "ture" & > SERVER_AUTHENTICATION is set to "false". > > I observed SSL_Connect is failing with Error "SSL certificate host name > mismatch in tcp_connect()" with SERVER_AUTHENTICATION set to "true" case. > > I verified that host name and common name mismatch is the culprit. > > But can you please clear me basic fundamentals.In soap_ssl_client_context > call, do we provide server certificate or client certificate.Sorry, I > think, I can debug this with further study thru the code. > > Below are commands I used to generate cacert.pem file; > > openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem > -------- > openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey > rootkey.pem -out cacert.pem -days 1095. > > As for testing purpose I used this same certificate file in both > soap_ssl_client_context() and soap_ssl_server_context() calls > Do I need to change any options in above commands to generate server side > certificate. > > Thanks, > Pradeep reddy. > > Dave Thompson-5 wrote: >> >>> From: [email protected] On Behalf Of pradeepreddy >>> Sent: Wednesday, 15 September, 2010 08:12 >> >>> After some fight, I am able to make the connection.I have >>> taken both server >>> and client authentication as false >>> SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION & >>> SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION to false.But >>> SSL_Conect & SSL_accept >>> are failing with errors "*** >>> error:00002733:lib(0):func(2):reason(1843)" & >> >> I bet this end (at least) is on Windows. Winsock errors don't >> fit in 12 bits so OpenSSL breaks them up inappropriately. >> 0x2733 = 10035 = WSAEWOULDBLOCK. This seems consistent with >> some problem with nonblocking sockets, but OpenSSL shouldn't >> be returning it as an ERR_ error, it should map it into >> SSL_get_error WANT_READ or WANT_WRITE as appropriate. >> Possibly your code (or gsoap) is incorrectly calling >> ERR_error_string* on errno/[WSA]GetLastError() . >> >>> "*** SSL_ERROR_SSL >>> *** SSL_ERROR_SSL >>> error:1408A0C1:lib(20):func(138):reason(193) >>> Error 30 fault: SOAP-ENV:Server [no subcode] >>> "Error observed by underlying BIO: No such file or directory" >> >> You can use commandline openssl errstr to find out 1408A0C1 is >> SSL3_GET_CLIENT_HELLO:no shared cipher. It's unclear what file >> got the "No such file" error, but generally the only files a >> server needs are its privatekey(s)+cert(s), DH/ECDH params >> if explicit, and maybe random seeding. I don't know if >> REQUIRE_SERVER_AUTH false in your software means it's not >> demanded by the client, or not supported by the server. >> All the ciphersuites enabled by default in OpenSSL do have >> server authentication; to use the "anonymous" suites you >> must explicitly enable them. If you run a server with no >> privkey+cert(s), it can't negotiate any suite allowed by a >> client using the default list, causing "no shared cipher". >> >>> Detail: SSL_accept() failed in soap_ssl_accept()" >>> respectively.I provided >>> client.pem keyfile, though it is not required as >>> authentication is set to >>> false.Please let me know your thoughts. >>> >>> pradeepreddy wrote: >>> > >>> > Hi, >>> > >>> > An update, >>> > >>> > SSL_connect is failing with SSL_ERROR_WANT_READ.I >>> understand that client >>> > is waiting on server to write some data.But I dont >>> understand what to >>> > change code in server side. >>> > >> Nothing. WANT_READ, and WANT_WRITE, require *local* >> handling of nonblocking sockets. If you (or gsoap) >> does want nonblocking sockets, see the man pages >> for SSL_read, SSL_write, and/or SSL_get_error. >> Except if you're on Windows, you probably don't >> have man pages. If you don't want nonblocking >> sockets, you apparently did something wrong >> and got them, so fix that. >> >> <snip some earlier> >> >>> >> I see server is ready to accept the connections, as I see below >>> >> connection established with netstat command: >>> >> >>> >> TCP cspxppgudepu:15000 cspxppgudepu.com:0 LISTENING >>> >> TCP cspxppgudepu:15000 localhost:2864 ESTABLISHED >>> >> >>> >> Above 15000 port is for server. >>> >> >>> >> Below is client connection: >>> >> TCP cspxppgudepu:16000 cspxppgudepu.com:0 LISTENING >>> >> >> That's not a connection, only an apparently listening socket. >> Generally a client shouldn't (also) be listening, but IME >> at least some versions of Winsock spuriously show LISTENING >> when you merely have the socket open (and maybe bound?). >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [email protected] >> Automated List Manager [email protected] >> >> > > -- View this message in context: http://old.nabble.com/OPENSSL-SSL_Connect-blocking-tp29708086p29740400.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
