Hi
I don't remember the internals of the SSL_CTX and SSL structures but t
we need to create SSL object once all the initialization of SSL_CTX is
completed...
m_ssl=SSL_new(m_ctx);
should come after all the calls to add cipher etc. that sets something
in the context are done else the m_ssl willn't inherit those
properties (unless it uses the pCtx stored inside to access those.)...
Actually some stuff (like Cert/Key) is copied inside SSL and some
stuff is referred from SSL thru pCtx from its CTX. So if sth is copied
to SSL than such init must be done before creating the SSL object..
HTH
-Krishna
On 8/18/06, Florian G otter <[EMAIL PROTECTED]> wrote:
Hello !
Here is again the complete code as of now.
The restricitions are removed so far.
Output from Server:
SSL PrivateKey opened successfully
LOG; Now accepting connections on fd...connection accepted.
LOG; Now accepting (ssl)...SSL Handshake (SSL_accept) failed - error
code -1
SSH Handshake error 1= SSL_ERROR_SSLErr during Handshake from SSL error
queue: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher
Output from Client:
bin/Linux_2.6.4# ./testConsumer
SSL certificate opened successfully
LOG; Trying to connect (fd)...connected.
LOG; Trying to connect (ssl)...connecting SSL socket failed
Many thanks !
Florian
--
server.c
----------------------------------------------------
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <iostream.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include </usr/include/openssl/ssl.h>
#include </usr/include/openssl/err.h>
#include </usr/include/openssl/crypto.h>
#include </usr/include/openssl/x509.h>
#include </usr/include/openssl/pem.h>
#include <unistd.h>
#define certificate_file "/root/security/server.crt"
#define key_file "/root/security/server.key"
#define CA_FILE "/certs/1024scert.pem"
int main()
{
int m_fd;
SSL* m_ssl;
SSL_CTX* m_ctx;
SSL_library_init();
SSL_load_error_strings();
m_ctx=SSL_CTX_new(SSLv3_server_method());
if(!m_ctx)
{
cout << "failed to create SSL context" << endl;
}
m_ssl=SSL_new(m_ctx);
OpenSSL_add_all_algorithms();
if(!m_ssl)
{
cout << "failed to create SSL structure" << endl;
}
if((SSL_use_PrivateKey_file(m_ssl,key_file,1))!=1)
{
cout << "SSL PrivateKey file error - did not open" << endl;
}
else
{
cout << "SSL PrivateKey opened successfully" << endl;
}
// Create socket.
if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
cout << "Failed to create socket." << endl;
}
// Assign a port adress to the socket.
struct sockaddr_in local_addr;
memset((char *) &local_addr, 0, sizeof(sockaddr_in)); // zero out
local
address
local_addr.sin_family = AF_INET;
local_addr.sin_addr.s_addr = inet_addr("10.1.18.65");
local_addr.sin_port = 2000;
if (bind(m_fd, (struct sockaddr *) &local_addr, sizeof(local_addr)) ==
-1)
{
cout << "Failed to assign adress to socket." << endl;
}
// Start listening.
if (listen(m_fd, 128) == -1)
{
cout << "Failed to listen to port." << endl;
}
struct sockaddr_in rem_add;
socklen_t size(sizeof(sockaddr_in));
memset((char *)&rem_add, 0, size);
// Accept connections.
cout << "LOG; Now accepting connections on fd...";
if ((m_fd = accept(m_fd, (struct sockaddr *)&rem_add, &size)) == -1)
{
cout << "failed" << endl;
}
else
{
cout << "connection accepted."<< endl;
if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket -
from
here only use the ssl FD
{
cout << "Opening SSL connection FD failed" << endl;
}
cout << "LOG; Now accepting (ssl)...";
// !!!
int a(SSL_accept(m_ssl));
if(a==1) // Wait for SSL Handshake from the other side
{
cout << "SSL Handshake successful" << endl;
}
else
{
cout << "SSL Handshake (SSL_accept) failed - error code " << a <<
endl;
int length(0);
int errorCode = SSL_get_error(m_ssl, length);
cout << "SSH Handshake error " << errorCode << "= ";
switch (errorCode)
{
case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE";
break;
case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN";
break;
case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ";
break;
case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE";
break;
case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT";
break;
case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT";
break;
case SSL_ERROR_WANT_X509_LOOKUP: cout <<
"SSL_ERROR_WANT_X509_LOOKUP";
break;
case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL";
break;
case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL";
break;
}
unsigned long err(ERR_get_error());
cout << "Err during Handshake from SSL error queue: " <<
ERR_error_string(err, NULL) << endl;
}
}
}
----------------------------------------------------
client.c
----------------------------------------------------
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <iostream.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include </usr/include/openssl/ssl.h>
#include </usr/include/openssl/err.h>
#include </usr/include/openssl/crypto.h>
#include </usr/include/openssl/x509.h>
#include </usr/include/openssl/pem.h>
#include <unistd.h>
#define certificate_file "/root/security/server.crt"
#define key_file "/root/security/server.key"
#define CA_FILE "/certs/1024scert.pem"
enum messageType_e
{
MESSAGE_TYPE_REQUEST,
MESSAGE_TYPE_RETURN,
MESSAGE_TYPE_RESPONSE,
MESSAGE_TYPE_DATAGRAM
};
int main()
{
int m_fd;
SSL* m_ssl;
SSL_CTX* m_ctx;
SSL_library_init(); //FG: Initialize the SSL Libs
SSL_load_error_strings(); //FG: Load the error messages
// Create socket.
if ((m_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
cout << "Failed to create non-secure socket." << endl;
}
struct sockaddr_in remote_addr;
// SSL_CTX *ssl_ctx_server = SSL_CTX_new(SSLv23_server_method());
m_ctx=SSL_CTX_new(SSLv3_client_method()); //FG: create a secure
context
if(!m_ctx)
{
cout << "failed to create SSL context" << endl;
}
m_ssl=SSL_new(m_ctx);
if(!m_ssl)
{
cout << "failed to create SSL structure" << endl;
}
OpenSSL_add_all_algorithms();
if((SSL_use_certificate_file(m_ssl,certificate_file,1))!=1) //FG:
Define SSL certificate to use
{
cout << "SSL certificate file error - did not open" << endl;
}
else
{
cout << "SSL certificate opened successfully" << endl;
}
memset((char *) &remote_addr, 0, sizeof(sockaddr_in)); // zero out
local address
remote_addr.sin_family = AF_INET;
//remote_addr.sin_addr.s_addr =
m_context->getConfiguration().m_ipAddress;
//remote_addr.sin_port =
htons(m_context->getConfiguration().m_port);
remote_addr.sin_addr.s_addr = inet_addr("10.1.18.65");
remote_addr.sin_port = 2000;
cout << "LOG; Trying to connect (fd)...";
if (connect(m_fd, (struct sockaddr *)&remote_addr, sizeof
remote_addr)
== -1)
{
cout << "Failed to connect secure channel. Channel not open." << endl;
}
else
{
cout << "connected." << endl;
}
if(SSL_set_fd(m_ssl, m_fd)!=1) //Mask initial FD as SSL socket -
from here only use the ssl FD
{
cout << "Opening SSL connection FD failed" << endl;
}
sleep(10);
cout << "LOG; Trying to connect (ssl)...";
if(SSL_connect(m_ssl)!=1) //Connect SSL socket
{
cout << "connecting SSL socket failed" << endl;
}
else
{
cout << "connected." << endl;
}
// FORK.
int length(0);
while (true)
{
// Extract message type.
messageType_e messageType;
if ((length = SSL_read(m_ssl, &messageType, sizeof(messageType_e))) <
0)
{
int errorCode = SSL_get_error(m_ssl, length);
cout << "Channel State error " << errorCode << "=" << endl;
switch (errorCode)
{
case SSL_ERROR_NONE: cout << "SSL_ERROR_NONE";
break;
case SSL_ERROR_ZERO_RETURN: cout << "SSL_ERROR_ZERO_RETURN";
break;
case SSL_ERROR_WANT_READ: cout << "SSL_ERROR_WANT_READ";
break;
case SSL_ERROR_WANT_WRITE: cout << "SSL_ERROR_WANT_WRITE";
break;
case SSL_ERROR_WANT_CONNECT: cout << "SSL_ERROR_WANT_CONNECT";
break;
case SSL_ERROR_WANT_ACCEPT: cout << "SSL_ERROR_WANT_ACCEPT";
break;
case SSL_ERROR_WANT_X509_LOOKUP: cout <<
"SSL_ERROR_WANT_X509_LOOKUP";
break;
case SSL_ERROR_SYSCALL: cout << "SSL_ERROR_SYSCALL";
break;
case SSL_ERROR_SSL: cout << "SSL_ERROR_SSL";
break;
}
unsigned long err(ERR_get_error());
cout << "Err from SSL error queue: " << ERR_error_string(err, NULL)
<< endl;
}
}
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
