> From: owner-openssl-...@openssl.org On Behalf Of pradeepreddy > Sent: Monday, 20 September, 2010 09:12
> Now I understood the certificate internals. > In mycode, SSL_CTX_load_verify_locations and > SSL_CTX_set_client_CA_list(soap->ctx, > SSL_load_client_CA_file(soap->cafile)), these 2 calls are passed with > servercert.pem and clientcert.pem files in soap->cafile parameter . > And I grabbed soap->cafile and soap->capath from > soap_ssl_server_context & > soap_ssl_client_context calls, inturn these two calls reading > from my own > defined xml schema. > > Instead we should pass their respective CA file, i.e., > cacert.pem, this is > what I understood, clear me if Iam wrong. > > If we pass cacert.pem file in these, which call in openssl > library will load > the servercert.pem and clientcert.pem files, because these are 2 files > client and server has to pass eachother in handshake ? > Please let me know. > I'm sorry, but I can't understand from this what you're doing. What needs to happen at the OpenSSL level is: - each peer calls SSL_[CTX_]use_PrivateKey* and use_certificate* with ITS OWN key and certificate, e.g. client calls with clientkey and clientcert, server calls with serverkey and servercert. There are several variants of these calls, but since you have the data in PEM files, it's easiest to use the _file variants. - each peer calls SSL_CTX_load_verify_locations specifying a file which is (your private) cacert.pem, or a directory that contains that file. The former (one file) is easier. - there is no need to call set_client_CA_list (or the misnamed load_client_CA_file). This function is needed (in the server only) when authenticating clients that (try to) select varying identities per the server, like for example web browsers. In your case the client is also gsoap/OpenSSL, and it uses one configured identity regardless of the server CA list. *Where* these should be done, and in particular what should be in your code or should be or is in gsoap I don't know. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
