Thank You Ashish for your answer! On Wed, Sep 23, 2009 at 10:30 PM, Ashish Thapliyal < ashish.thapli...@citrix.com> wrote:
> I set the following for the global context which is used to create the > connection: > > // Set the SSL certificate verify mode > > SSL_CTX_set_verify(_globalContext, SSL_VERIFY_PEER, NULL); > > > > Then the server requests the peer (i.e. the client) for a certificate > during the handshake, which the client can either ignore, or provide. > yes I want the client to provide a certificate. this also works, if I set the globalContext like above However at this point the server cannot yet verify the client's certificate. So calling BIO_do_connect(BIO* client_socket) returns -1, because the client certificate could not be verified. The other option is to do a handshake without asking for a client > certificate first, then do a re-handshake and ask the client for a > certificate when required. > Yes this would work. Because later the server will get the client certificate in a secure fashion. So how can I redo the handshake? I do not want to close and open the connection a new, just ask the client again for its certificate. Do you know how to do that? Thank You! Michael > > > Ashish > > > ______________________________________________________________________________________________________ > > Ashish V. Thapliyal, Security Architect, Citrix Online Division, 6500 > Hollister Ave, Goleta, CA 93117. V: +1 (805) 690 2908. > > > > > > > > > > > > > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *Michael Prinzinger > *Sent:* Wednesday, September 23, 2009 1:05 PM > *To:* openssl-users@openssl.org > *Subject:* verify client certificate at a later point > > > > Dear OpenSSL group, > > I have a somewhat curious setting (without CAs) about routing information > along several nodes: > > [1] first an unkown client establishes a connection to a known server > thus I set > > SSL_CTX_set_verify(this->ctx, SSL_VERIFY_NONE, NULL); > > > > and let the client verify the servers certificate, like this > > X509* x509 = SSL_get_peer_certificate(s); > CHECK(x509 != NULL); > > //check certificate > long certVerifyResults = SSL_get_verify_result(s); > if(certVerifyResults != X509_V_OK) > throw SSLException("Error! Certificate could not be verified.\n); > > //free x509 > X509_free(x509); > > > > [2] now a secure connection is established > on it the server receives data encrypted with the servers public key, so > only it can read it > in the data is information about the next node and the previous node > now the server knows the ssl certificate of the previous node and thus > wants to check it, > since the verify mode is still set to server only, we set it a new > > SSL_CTX_set_verify(this->ctx, SSL_VERIFY_PEER | > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); > > > [3] if the server now runs the code above > > X509* x509 = SSL_get_peer_certificate(s); > CHECK(x509 != NULL); > > //check certificate > long certVerifyResults = SSL_get_verify_result(s); > if(certVerifyResults != X509_V_OK) > throw SSLException("Error! Certificate could not be verified.\n); > > //free x509 > X509_free(x509); > > > x509 will be NULL. > > This is probably because the handshake has already taken place. So there > simply is no client certificate. > Now I am trying to find a way around this problem, but failed so far. > It would be nice to either find a way that both certificates are exchanged > during handshae, but only the server one is verified at first > or to find a way to request a certificate from the client at a later point. > > Has anyone an idea, how this could be achieved with the OpenSSL API? > > > Thank You Very Much! > > Michael > > > > >