Embedding certificates problem

Fri, 23 Jul 2004 17:08:51 -0700 

Hi,
I'm trying to embed (aka hard-code) certificates into my client's binaries,
but end up with following error from my client:

** MySSL.cpp:447 Error connecting to remote machine
1024:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=localhost:16001
1024:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273:

I know I'm messing up certificates somewhere, as a sample server complains with:
** myserver.c:191 Error accepting SSL connection
1026:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1918:


Briefly here's what I did:

1. generated certificates with:
...
# --client--
$(OPENSSL) req -nodes -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem -config client.cnf -reqexts req_extensions
$(OPENSSL) x509 -C -req -in clientreq.pem -sha1 -extfile client.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem > clientcert.h
$(CAT) clientcert.pem clientkey.pem rootcert.pem > client.pem
...


2. embedded (or rather attempted to) certs like this:
//#define CERTFILE "client.pem"
//#define CAFILE "rootcert.pem"
#include "clientcert.h"
#include "rootcert.h"
#define CADIR NULL

SSL_CTX *MySSL::setup_client_ctx(void)
{
SSL_CTX *ctx;
ctx = SSL_CTX_new(SSLv3_method( ));
int len;
unsigned char *buf;
X509 *x = NULL;
X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);

/* NOTES:
clientcert_subject_name
clientcert_public_key
clientcert_certificate
rootcert_subject_name
rootcert_public_key
rootcert_certificate

These are the unsigned char arrays generated by previous makefile,
and living in "clientcert.h" and "rootcert.h",
but I don't quite understand right now what they're for (besides the obvious),
and which I need to embed, etc.
so basically for each one I did the following:
*/

buf = clientcert_certificate;
len = i2d_X509(x, &buf);
if (len < 0)
int_error("VIO[307]:Error loading --");
X509_STORE_add_cert(cert_store,x);
if(x != NULL)
X509_free(x);


buf = clientcert_subject_name;
len = i2d_X509(x, &buf);
if (len < 0)
int_error("VIO[307]:Error loading --");
X509_STORE_add_cert(cert_store,x);
if(x != NULL)
X509_free(x);

... and so on

Any help appreciated, obviously.
Cheers,
Vio


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to