Mark wrote:
Our application is a client/server application for which we (i.e. the server) need to authenticate the client (users) and hence we are the only CA allowed. This is not a public application so the server and all the client certs are signed by us. Client authorisation is very important for us. We (well me) will be developing all the server software and a API for the client applications. I have already written a prototype with much help from this list, but I need to understand how to make the communications properly secure.
Let me guess: root CA -- signs --> client cert \- signs --> server cert To do verify on both sides you need: * client: client key, client cert, root cert (to verify server cert) * server: server key, server cert, root cert (to verify client cert) * On server: * tell SSL which cert and key you use: SSL_CTX_use_PrivateKey_file() SSL_CTX_use_certificate_file() * if your server cert is signed by the root, you can turn off sending of the root to the cert by SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN) * add the CA cert to the servers verify data X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),root) * activate verify SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE,cb) (AFAIR cb could be NULL and OpenSSL used default build in) * Tell SSL which cert names it should send to client (and which CA certs are accepted for client auth) SSL_CTX_add_client_CA(xtx,root) * On Client: * tell SSL which cert and key you use: SSL_CTX_use_PrivateKey_file() SSL_CTX_use_certificate_file() * add the CA cert to the servers verify data X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),root) * activate verify SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE,cb) (AFAIR cb could be NULL and OpenSSL used default build in)
I guess what I really want to know what would happen if I don't use the SSL_CTX_set_client_CA_list() function. The manual page seems to suggest there is a default value but I don't know what it is.
AFAIR there will no list of client CA names sent to the client.
Each client will only have one certificate. Do I need to use a client cert callback in this case?
No.
Does SSL_load_client_CA_file() load the releventinformation from theroot certificate or do I have to do something else to get this info?You can use it on server side to load the list of CA names the server accepts (if he points his verify data to this file)I guess this all boils down to what default CA list OpenSSL uses?
This boils down to the list of client CAs the server will accept from the client... There are two things you must set on the server: what CA certificates to use in verify and what CA certificates to tell the client the server accepts. Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many
smime.p7s
Description: S/MIME Cryptographic Signature