Hello,
To my knowledge, whenever a webserver is configured for SSL Client
Authentication, it sends all CA certificates which it (webserver) trust to
the client during Handshake. Client can make a connection only if it get its
certificate from one of those CAs. In your case it is perfectly fine as you
got your client certificate and web server certificate from your same
selfsigned CA cert. But in IIS you need to do something extra to make IIS to
trust a CA Cert. The steps are as follows:
1. You import the CA certificate in the trusted CA certs of IE.
2. Open a command prompt. and run the following command in your windows
directory.
c:\winnt\system32\inetsrv\>iisca
(Search for IISCA.exe where it is located in your machine).
3. You will get a message saying "List of valid Certifiying Authorities
CA ) successfuly transferred to IIS"
4. You stop your Webservice and restrat it. Try rebooting your machine in
worst case.
This process install all Trusted CA certificates in IE into IIS's trusted
CA store.
I am successful this way with my own CA certificate. But I used IE and
Netscape browsers as clients. Further information is also available in IIS
help. Hope this works for you. All the best
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Villeneuve
Sent: Thursday, January 18, 2001 5:10 AM
To: [EMAIL PROTECTED]
Subject: Problem with client certificate with IIS 4.0
I have a client program running on Linux Red Hat 7.0 and my web server
is MS IIS 4.0.
I have generated my own self signed CA certificate unsing openssl and I
have imported it successfully into IE in the trusted CA list on the
machine running my web server.
I have also generated a certificate for my web server, signed it using
my CA certificate and imported it successfully into IIS.
My client program can connect successfully to my web server and my
client program receive successfully the server certificate.
My client program can access any web page on my web server without any
problem if my web site doesn't require a client certificate.
My problem is when my web site is configure to require a client
certificate, my client program is unable to access any web page even if
the server certificate verification was succeeded and the SSL_connect()
was also succeeded. When my client program try to access a web page, it
receive this message from the server "Forbiden 407..... Forbiden 407.7
.... Contact your web server administrator to obtain a valid client
certificate."
Here it's how I have generated my certificates:
For my self signed CA certificate:
$ openssl genrsa -des3 -out MyCA.key 1024
$ openssl req -new -x509 -days 365 -key MyCA.key -out MyCA.crt
$ openssl pkcs12 -export -in MyCA.crt -inkey MyCA.key -out MyCA.pfx
=> the pkcs12 command is to have my ca certificate in pkcs12 format
to be able to import it into IE.
For my server certificate:
$ openssl genrsa -des3 -out IIS.key 1024
$ openssl req -new -key IIS.key -out IIS.csr
$ openssl ca -cert MyCA.crt -in IIS.csr -keyfile MyCA.key -enddate
020101010000Z -out IIS.crt
=> here I specify a enddate to be sure the enddate of my server
certificate is not after the enddate of my CA.
=> I also remove the text part before the ---BEGIN CERTIFICATE---
from my file IIS.crt because IIS is not able to deal with this.
$ openssl rsa -in IIS.key -outform NET -out IISnet.key
=> here I change the format of my server private key file to be
able to import it into IIS.
For my client certificate:
$ openssl genrsa -des3 -out client.key 1024
$ openssl req -new -key client.key -out client.csr
$ openssl ca -cert MyCA.crt -in client.csr -keyfile MyCA.key -enddate
020101010000Z -out client.crt
=> here I specify a enddate to be sure the enddate of my client
certificate is not after the enddate of my CA.
Here it's my client program code:
...
SSL_library_init();
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
SSLeay_add_ssl_algorithms();
pSSLContext = SSL_CTX_new( SSLv23_client_method() );
if (pSSLContext)
{
if(SSL_CTX_load_verify_locations(pSSLContext,
"/etc/httpd/conf/MyCA.crt", "/etc/httpd/conf/"))
{
SSL_CTX_set_verify(pSSLContext, SSL_VERIFY_PEER, NULL);
if(SSL_CTX_use_certificate_file(pSSLContext,
"/etc/httpd/conf/client.crt", SSL_FILETYPE_PEM)==1)
{
if(SSL_CTX_use_PrivateKey_file(pSSLContext,
"/etc/httpd/conf/client.key", SSL_FILETYPE_PEM)==1)
{
pSSLConnection = SSL_new( pSSLContext );
if (pSSLConnection)
{
SSL_set_cipher_list(pSSLConnection, SSL_TXT_ALL);
if (SSL_set_fd( pSSLConnection, iSockId ) == 1)
{
if (SSL_connect(pSSLConnection) == 1)
{
server_cert = SSL_get_peer_certificate(
pSSLConnection );
if (server_cert)
{
if(SSL_get_verify_result(pSSLConnection) == X509_V_OK)
{
X509Buffer = new char[4097];
if (X509Buffer)
{
memset( X509Buffer, 0,
4097 );
X509_NAME_oneline(
X509_get_subject_name(server_cert), X509Buffer, 4096);
// Here my server
certificate is OK.
memset( X509Buffer, 0,
4096 );
X509_NAME_oneline(
X509_get_issuer_name(server_cert), X509Buffer, 4096);
// Here the CA info. is
OK.
free( X509Buffer );
iResLen =
SSL_write(pSSLConnection, "GET /Main.asp
HTTP/1.1\r\nHost:10.255.255.253\r\n\r\n", 58);
if (iResLen == 58)
{ // Read server
response.
struct timeval tv;
fd_set rfds;
int iSockId =
SSL_get_fd(pSSLConnection);
iReadResult = 0;
FD_ZERO(&rfds);
FD_SET(iSockId, &rfds);
tv.tv_sec = 5;
tv.tv_usec = 0;
iResult = fcntl(iSockId,
F_SETFL, O_NONBLOCK);
Retry:
if ((iResult == 0) &&
select(iSockId + 1, &rfds, NULL, NULL, &tv) > 0)
{
memset(sDVHTTPResponse, 0, iDVResLen+1);
memset(sTemp, 0,
iDVResLen+1);
// Here, when my web server require a client certificate, SSL_read fail
2 or 3 times with the error SSL_ERROR_WANT_READ
// before receiving the error message from the web server.
while((iReadResult =
SSL_read(pSSLConnection, sDVHTTPResponse, iDVResLen)) > 0)
{ // The buffer
sDVHTTPResponse is full and maybe more data must be read
// => save the
data and try to read more data.
strcpy(sTemp,
sDVHTTPResponse);
memset(sDVHTTPResponse, 0, iDVResLen);
}
if
(strlen(sDVHTTPResponse) == 0)
strcpy(sDVHTTPResponse,
sTemp);
if
(strlen(sDVHTTPResponse) == 0) // Verify if sDVHTTPResponse is empty
again!
{
switch(SSL_get_error(pSSLConnection, iReadResult))
{
case
SSL_ERROR_ZERO_RETURN:
iResult = DV_ERROR;
break;
case
SSL_ERROR_WANT_READ:
goto Retry;
break;
case
SSL_ERROR_WANT_X509_LOOKUP:
iResult = DV_ERROR;
break;
case
SSL_ERROR_SYSCALL:
iResult = errno;
break;
case
SSL_ERROR_SSL:
iResult = DV_ERROR;
break;
}
}
}
}
X509_free( server_cert );
}
}
}
}
}
}
}
}
...
What is wrong?????
1- Is it my code?
2- Is it because my client certificate is not generated correctly?
3- Is it because I need to do something on IIS to accept my client
certificate?
Somebody have an idea?
Thanks in advance for response(s).
Dan.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
