I have a client program running on Linux Red Hat 7.0 and my web server
is MS IIS 4.0.
I have generated my own self signed CA certificate unsing openssl and I
have imported it successfully into IE in the trusted CA list on the
machine running my web server.
I have also generated a certificate for my web server, signed it using
my CA certificate and imported it successfully into IIS.
My client program can connect successfully to my web server and my
client program receive successfully the server certificate.
My client program can access any web page on my web server without any
problem if my web site doesn't require a client certificate.
My problem is when my web site is configure to require a client
certificate, my client program is unable to access any web page even if
the server certificate verification was succeeded and the SSL_connect()
was also succeeded. When my client program try to access a web page, it
receive this message from the server "Forbiden 407..... Forbiden 407.7
.... Contact your web server administrator to obtain a valid client
certificate."
Here it's how I have generated my certificates:
For my self signed CA certificate:
$ openssl genrsa -des3 -out MyCA.key 1024
$ openssl req -new -x509 -days 365 -key MyCA.key -out MyCA.crt
$ openssl pkcs12 -export -in MyCA.crt -inkey MyCA.key -out MyCA.pfx
=> the pkcs12 command is to have my ca certificate in pkcs12 format
to be able to import it into IE.
For my server certificate:
$ openssl genrsa -des3 -out IIS.key 1024
$ openssl req -new -key IIS.key -out IIS.csr
$ openssl ca -cert MyCA.crt -in IIS.csr -keyfile MyCA.key -enddate
020101010000Z -out IIS.crt
=> here I specify a enddate to be sure the enddate of my server
certificate is not after the enddate of my CA.
=> I also remove the text part before the ---BEGIN CERTIFICATE---
from my file IIS.crt because IIS is not able to deal with this.
$ openssl rsa -in IIS.key -outform NET -out IISnet.key
=> here I change the format of my server private key file to be
able to import it into IIS.
For my client certificate:
$ openssl genrsa -des3 -out client.key 1024
$ openssl req -new -key client.key -out client.csr
$ openssl ca -cert MyCA.crt -in client.csr -keyfile MyCA.key -enddate
020101010000Z -out client.crt
=> here I specify a enddate to be sure the enddate of my client
certificate is not after the enddate of my CA.
Here it's my client program code:
...
SSL_library_init();
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
SSLeay_add_ssl_algorithms();
pSSLContext = SSL_CTX_new( SSLv23_client_method() );
if (pSSLContext)
{
if(SSL_CTX_load_verify_locations(pSSLContext,
"/etc/httpd/conf/MyCA.crt", "/etc/httpd/conf/"))
{
SSL_CTX_set_verify(pSSLContext, SSL_VERIFY_PEER, NULL);
if(SSL_CTX_use_certificate_file(pSSLContext,
"/etc/httpd/conf/client.crt", SSL_FILETYPE_PEM)==1)
{
if(SSL_CTX_use_PrivateKey_file(pSSLContext,
"/etc/httpd/conf/client.key", SSL_FILETYPE_PEM)==1)
{
pSSLConnection = SSL_new( pSSLContext );
if (pSSLConnection)
{
SSL_set_cipher_list(pSSLConnection, SSL_TXT_ALL);
if (SSL_set_fd( pSSLConnection, iSockId ) == 1)
{
if (SSL_connect(pSSLConnection) == 1)
{
server_cert = SSL_get_peer_certificate(
pSSLConnection );
if (server_cert)
{
if(SSL_get_verify_result(pSSLConnection) == X509_V_OK)
{
X509Buffer = new char[4097];
if (X509Buffer)
{
memset( X509Buffer, 0,
4097 );
X509_NAME_oneline(
X509_get_subject_name(server_cert), X509Buffer, 4096);
// Here my server
certificate is OK.
memset( X509Buffer, 0,
4096 );
X509_NAME_oneline(
X509_get_issuer_name(server_cert), X509Buffer, 4096);
// Here the CA info. is
OK.
free( X509Buffer );
iResLen =
SSL_write(pSSLConnection, "GET /Main.asp
HTTP/1.1\r\nHost:10.255.255.253\r\n\r\n", 58);
if (iResLen == 58)
{ // Read server
response.
struct timeval tv;
fd_set rfds;
int iSockId =
SSL_get_fd(pSSLConnection);
iReadResult = 0;
FD_ZERO(&rfds);
FD_SET(iSockId, &rfds);
tv.tv_sec = 5;
tv.tv_usec = 0;
iResult = fcntl(iSockId,
F_SETFL, O_NONBLOCK);
Retry:
if ((iResult == 0) &&
select(iSockId + 1, &rfds, NULL, NULL, &tv) > 0)
{
memset(sDVHTTPResponse, 0, iDVResLen+1);
memset(sTemp, 0,
iDVResLen+1);
// Here, when my web server require a client certificate, SSL_read fail
2 or 3 times with the error SSL_ERROR_WANT_READ
// before receiving the error message from the web server.
while((iReadResult =
SSL_read(pSSLConnection, sDVHTTPResponse, iDVResLen)) > 0)
{ // The buffer
sDVHTTPResponse is full and maybe more data must be read
// => save the
data and try to read more data.
strcpy(sTemp,
sDVHTTPResponse);
memset(sDVHTTPResponse, 0, iDVResLen);
}
if
(strlen(sDVHTTPResponse) == 0)
strcpy(sDVHTTPResponse,
sTemp);
if
(strlen(sDVHTTPResponse) == 0) // Verify if sDVHTTPResponse is empty
again!
{
switch(SSL_get_error(pSSLConnection, iReadResult))
{
case
SSL_ERROR_ZERO_RETURN:
iResult = DV_ERROR;
break;
case
SSL_ERROR_WANT_READ:
goto Retry;
break;
case
SSL_ERROR_WANT_X509_LOOKUP:
iResult = DV_ERROR;
break;
case
SSL_ERROR_SYSCALL:
iResult = errno;
break;
case
SSL_ERROR_SSL:
iResult = DV_ERROR;
break;
}
}
}
}
X509_free( server_cert );
}
}
}
}
}
}
}
}
...
What is wrong?????
1- Is it my code?
2- Is it because my client certificate is not generated correctly?
3- Is it because I need to do something on IIS to accept my client
certificate?
Somebody have an idea?
Thanks in advance for response(s).
Dan.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
