Re: RE : SSL_CTX_set_client_CA_list functions

Wed, 07 Dec 2005 13:42:42 -0800 

Mark wrote:


Our application is a client/server application for which we (i.e. the
server)
need to authenticate the client (users) and hence we are the only CA
allowed.
This is not a public application so the server and all the client certs
are
signed by us.  Client authorisation is very important for us.  We (well
me)
will be developing all the server software and a API for the client
applications.
I have already written a prototype with much help from this list, but I
need
to understand how to make the communications properly secure.


Let me guess:

root CA  -- signs --> client cert
         \- signs --> server cert

To do verify on both sides you need:
* client: client key, client cert, root cert (to verify server cert)
* server: server key, server cert, root cert (to verify client cert)

* On server:
  * tell SSL which cert and key you use:
    SSL_CTX_use_PrivateKey_file()
    SSL_CTX_use_certificate_file()
  * if your server cert is signed by the root,
    you can turn off sending of the root to the cert by
    SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN)
  * add the CA cert to the servers verify data
    X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),root)
  * activate verify
    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER |
                           SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
                           SSL_VERIFY_CLIENT_ONCE,cb)
   (AFAIR cb could be NULL and OpenSSL used default build in)
  * Tell SSL which cert names it should send to client (and
    which CA certs are accepted for client auth)
    SSL_CTX_add_client_CA(xtx,root)

* On Client:
  * tell SSL which cert and key you use:
    SSL_CTX_use_PrivateKey_file()
    SSL_CTX_use_certificate_file()
  * add the CA cert to the servers verify data
    X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),root)
  * activate verify
    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER |
                           SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
                           SSL_VERIFY_CLIENT_ONCE,cb)
   (AFAIR cb could be NULL and OpenSSL used default build in)


I guess what I really want to know what would happen if I don't use the
SSL_CTX_set_client_CA_list() function.  The manual page seems to suggest
there is a default value but I don't know what it is.


AFAIR there will no list of client CA names sent to the client.


Each client will only have one certificate.   Do I need to use a client
cert callback in this case?


No.


Does SSL_load_client_CA_file() load the relevent 

information from the

root certificate or do I have to do something else to get this info?

You can use it on server side to load
the list of CA names the server accepts
(if he points his verify data to this file)


I guess this all boils down to what default CA list OpenSSL uses?


This boils down to the list of client CAs the server will accept
from the client...

There are two things you must set on the server:
what CA certificates to use in verify
and what CA certificates to tell the client the server accepts.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to