On Tue, Jun 29, 1999 at 12:51:40PM +0200, Oliver Floericke wrote:
> is there somebody who can briefly describe how to configure a OpenSSL server
> program in that way that it sends a list of acceptible ca's to the client?
> I'm using client authentication and would like to decide on the client side
> that the client has the proper certificates for the server.
>
> I already used SSL_CTX_load_verify_loactions(...) to check the client
> certificate, [...]
That function sets only the certificates to be used for verification
purposes (and can be used both for servers and for clients). To also
set the list of names you need SSL_CTX_set_client_CA_list. Example
code (tdef points to a structure holding the configuration
information, tls_output_OpenSSL_errors is a program-defined function
that outputs the OpenSSL error stack together with some additional
strings and, in case the error stack is empty, an alternative error
message):
SSL_CTX_set_verify(tdef->server_ssl_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
(int (*)(int, X509_STORE_CTX *)) 0);
r = SSL_CTX_set_session_id_context(tdef->server_ssl_ctx,
(void *) &context_num,
(unsigned int)
sizeof context_num);
if (!r) {
tls_output_OpenSSL_errors("", "", "", NULL);
return 1;
}
context_num++;
r = SSL_CTX_load_verify_locations(tdef->server_ssl_ctx,
tdef->client_ca_certificates,
NULL /* no CA-directory */);
if (!r) {
tls_output_OpenSSL_errors(" while processing certificate file ",
tdef->client_ca_certificates,
0, NULL);
return 1;
}
SSL_CTX_set_client_CA_list(tdef->server_ssl_ctx,
SSL_load_client_CA_file(tdef->client_ca_certificates));
/* We could also create an empty stack ourselves and add subjects
* by using SSL_add_file_cert_subjects_to_stack, which could
* be used for cases where SSL_load_client_CA_file is not enough.
* Note that SSL_load_client_CA_file is a misnomer, it actually
* just collects the list of subjects and has nothing to do with
* whether those are CAs or what. */
if (SSL_CTX_get_client_CA_list(tdef->server_ssl_ctx) == NULL) {
/* The ..._set_... function does not have a return value. */
fprintf(stderr, "%s: Could not set the client CA list from "
"\"%s\".\n", Myname, tdef->client_ca_certificates);
return 1;
}
assert(tdef->client_verify_depth_s == HAS_BEEN_SET);
SSL_CTX_set_verify_depth(tdef->server_ssl_ctx,
tdef->client_verify_depth);
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
