>Hmmm. Are you manually calling PKC5_pbe_set() and EVP_PBE_CipherInit()?
>You shouldn't have to. This kind of thing should be automatically
>handled by the PKCS#8 code when you call SSL_CTX_use_PrivateKey_file(),
Dear Dr. Henson
Of course you were correct, I was on a wrong track. Thank you kindly.
----------
Now I can initalize my connection without receiving any error messages. But then when I call SSL_write I get his error. "235:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:490:"
Is there any way to monitor the handshake in more detail?
BTW: My server is a Java server using the JCSI library. My java client can successfully connect to the server using client authentication.
Here is my connection code, maybe I am forgetting some initialization call?
best regards,
Ragnar Agustsson
int ClientConnectionType::connectToHost()
{
int err = 0;
struct sockaddr_in sa;
X509* server_cert;
char* str;
SSL_METHOD *meth;
/* ************************************** *\
* Windows socket initialization *
* ************************************** */
WORD wVersionRequested;
WSADATA wsaData;
try
{
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
{
throw new Exception("Could not find a usable WinSock DLL.");
}
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
m_oSocket = socket (AF_INET, SOCK_STREAM, 0);
CHK_ERR(m_oSocket, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr (m_sHostName); /* Server IP */
sa.sin_port = htons(m_iPort); /* Server Port number */
err = connect(m_oSocket, (struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
/*Now we have TCP/IP connection, start SSL negotiations*/
if(m_iType > 1)
{
OpenSSL_add_all_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
m_pCtx = SSL_CTX_new (meth);
RAND_screen();
CHK_NULL(m_pCtx);
CHK_SSL(err);
m_pSSL = SSL_new (m_pCtx);
CHK_NULL(m_pSSL);
SSL_set_fd (m_pSSL, m_oSocket);
SSL_CTX_set_verify(m_pCtx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify);
err = SSL_CTX_load_verify_locations(m_pCtx, m_sCACert, m_sKeyPath);
if(err)ERR_print_errors_fp(stdout);
if(m_iType > 2)
{
char cert_file[256];
strcpy(cert_file, m_sKeyPath);
strcat(cert_file, m_sOwnCert);
char key_file[256];
strcpy(key_file, m_sKeyPath);
strcat(key_file, m_sOwnKey);
if(SSL_CTX_use_certificate_file(m_pCtx,cert_file,SSL_FILETYPE_PEM) <= 0)
{
printf("unable to get certificate from '%s'\n",cert_file);
throw new Exception("connectToHostException\n");
}
SSL_CTX_set_default_passwd_cb(m_pCtx, passwProc);
if(SSL_CTX_use_PrivateKey_file(m_pCtx,key_file,SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stdout);
printf("unable to get private key from '%s'\n",key_file);
throw new Exception("connectToHostException\n");
}
if(!SSL_CTX_check_private_key(m_pCtx))
{
printf("Private key does not match the certificate public key\n");
throw new Exception("connectToHostException\n");
}
}
err = SSL_connect(m_pSSL);
if (err == -1)
{
ERR_print_errors_fp(stdout);
throw new Exception("SSL_connect failed\n");
}
fprintf(stdout, "SSL connection established. \n");
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (m_pSSL));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (m_pSSL); CHK_NULL(server_cert);
printf ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
Free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
Free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
}
}
catch(Exception* e)
{
disconnect();
printf("Exception caught in connectToHost\n");
printf("%s\n", e->getMsg());
throw e;
}
return m_oSocket;
}
Dr Stephen Henson <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 23.06.2000 17:30
|
To: [EMAIL PROTECTED] cc: Subject: Re: SSL_CTX_use_PrivateKey_file() problem |
Hmmm. Are you manually calling PKC5_pbe_set() and EVP_PBE_CipherInit()?
You shouldn't have to. This kind of thing should be automatically
handled by the PKCS#8 code when you call SSL_CTX_use_PrivateKey_file(),
the salt and interation count are part of the encoded structure.
Try the openssl 'pkcs8' utility on the key:
openssl pkcs8 -in key.pem
and see if you get the same error. If you do then if you can send me a
sample key (not an important one!) with the password I'll see if I can
see what is wrong. The PKCS#8 code has been tested against a number of
other implementations and it should be OK.
Setting 0 for the iteration count is in any case unlikely to work
because OpenSSL then uses a "reasonable" large value, 2048 by default.
It doesn't follow any particular standard for that but this doesn't
matter in practice.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]