Hi, I'm trying to embed (aka hard-code) certificates into my client's binaries, but end up with following error from my client:
** MySSL.cpp:447 Error connecting to remote machine
1024:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=localhost:16001
1024:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273:
I know I'm messing up certificates somewhere, as a sample server complains with:
** myserver.c:191 Error accepting SSL connection
1026:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1918:
Briefly here's what I did:
1. generated certificates with:
...
# --client--
$(OPENSSL) req -nodes -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem -config client.cnf -reqexts req_extensions
$(OPENSSL) x509 -C -req -in clientreq.pem -sha1 -extfile client.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem > clientcert.h
$(CAT) clientcert.pem clientkey.pem rootcert.pem > client.pem
...
2. embedded (or rather attempted to) certs like this: //#define CERTFILE "client.pem" //#define CAFILE "rootcert.pem" #include "clientcert.h" #include "rootcert.h" #define CADIR NULL
SSL_CTX *MySSL::setup_client_ctx(void) { SSL_CTX *ctx; ctx = SSL_CTX_new(SSLv3_method( )); int len; unsigned char *buf; X509 *x = NULL; X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
/* NOTES: clientcert_subject_name clientcert_public_key clientcert_certificate rootcert_subject_name rootcert_public_key rootcert_certificate
These are the unsigned char arrays generated by previous makefile,
and living in "clientcert.h" and "rootcert.h",
but I don't quite understand right now what they're for (besides the obvious),
and which I need to embed, etc.
so basically for each one I did the following:
*/
buf = clientcert_certificate; len = i2d_X509(x, &buf); if (len < 0) int_error("VIO[307]:Error loading --"); X509_STORE_add_cert(cert_store,x); if(x != NULL) X509_free(x);
buf = clientcert_subject_name; len = i2d_X509(x, &buf); if (len < 0) int_error("VIO[307]:Error loading --"); X509_STORE_add_cert(cert_store,x); if(x != NULL) X509_free(x);
... and so on
Any help appreciated, obviously. Cheers, Vio
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]