SSL client certificate checking

Marius Cabas Tue, 17 Jun 2003 00:49:59 -0700

Hi, from an SSL server side I want to check the client certificate/private key but I 
don't know how to do this. Below I have wrote a small server sample and it's client. I 
don't know if it's correct what I did.


// SSL Server
int  listen_sd = socket(AF_INET, SOCK_STREAM, 0);
  
sockaddr_in  sa_serv;
memset(&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family      = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port        = htons (8001);
  
bind(listen_sd, (sockaddr*)&sa_serv, sizeof(sa_serv));
listen(listen_sd, 5);
  
sockaddr_in  sa_cli;
size_t       client_len = sizeof(sa_cli);
int          sd = accept(listen_sd, (sockaddr*)&sa_cli,(int*)&client_len);
closesocket(listen_sd);

SSLeay_add_ssl_algorithms();
SSL_CTX*  ctx = SSL_CTX_new(SSLv3_server_method());
 
SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM);
if(!SSL_CTX_check_private_key(ctx))
 exit(1);

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

SSL*  ssl = SSL_new(ctx);
SSL_set_fd(ssl, sd);
CHK_SSL(SSL_accept(ssl));

X509*  client_cert = SSL_get_peer_certificate(ssl);
if(client_cert != NULL) // is always NULL. why?
{
  printf("Client certificate:\n");
  char* str = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0);      
  
  printf("\t subject: %s\n", str);
  free(str);
    
  str = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0);
  printf("\t issuer: %s\n", str);
  free(str);
    
  X509_free(client_cert);
}
.....
// reading/writing operations and cleaning up
.....

and the client looks like this:
// SSL Client
SSLeay_add_ssl_algorithms();
SSL_METHOD*  meth = SSLv3_client_method();
SSL_CTX*     ctx = SSL_CTX_new(meth);

SSL_CTX_use_certificate_chain_file(ctx, CERTF);
SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM);
 
int  sd = socket(AF_INET, SOCK_STREAM, 0);     
 
sockaddr_in sa;
memset(&sa, '\0', sizeof(sa));
sa.sin_family      = AF_INET;
sa.sin_addr.s_addr = inet_addr("127.0.0.1"); // Server IP
sa.sin_port        = htons(8001);            // Server Port number

connect(sd, (sockaddr*)&sa, sizeof(sa));

SSL*    ssl = SSL_new (ctx);
SSL_set_fd(ssl, sd);
SSL_connect(ssl);
.....
// reading/writing operations and cleaning up
.....


What is wrong on the code above?


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

SSL client certificate checking

Reply via email to