Use 'script noclientcert.txt openssl s_client -debug -state -showcerts
-connect host:port' to see what the certificate CA name requested by
the server is. Then, 'script withclientcert.txt openssl s_client
-state -debug -showcerts -connect host:port -key keyfile.pem -cert
certfile.pem' to determine what actually happens when the certificate
is appropriately selected.
Then, please attach include the text of noclientcert.txt and
withclientcert.txt if you still cannot figure out what's going on.
(What is the server running, do you know?)
-Kyle H
On Mon, Feb 1, 2010 at 7:55 AM, Felipe Franciosi <fel...@paradoxo.org> wrote:
> Dear Patrick,
>
> Thanks for the reply!
>
> I took the error checking out on purpose for the sake of the message size.
> I'm sending my client's code, but I still think the problem is on the
> server.
> If I use s_server with my client, it works. If I use s_client with my
> server, it fails. If I use my server with my client, it fails.
>
> Here's my client's code:
>
> SSL_load_error_strings();
> ERR_load_BIO_strings();
> SSL_library_init();
> OpenSSL_add_all_algorithms();
>
> X509 *peerCert;
> X509_NAME *xname;
>
> BIO *bio;
> SSL * ssl;
> SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
> char buf[256];
> memset(buf, 0, sizeof(buf));
>
> if (!SSL_CTX_load_verify_locations(ctx, "ca.crt", NULL)) { /* print
> error and abort */ }
> if (!SSL_CTX_use_certificate_file(ctx, "client.crt",
> SSL_FILETYPE_PEM)) { /* print error and abort */ }
> if (!SSL_CTX_use_PrivateKey_file(ctx, "client.key",
> SSL_FILETYPE_PEM)) { /* print error and abort */ }
>
> if ((bio = BIO_new_ssl_connect(ctx)) == NULL) { /* print error and
> abort */ }
> BIO_get_ssl(bio, & ssl);
> SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
> BIO_set_conn_hostname(bio, "localhost:9443");
> if(BIO_do_connect(bio) <= 0) { /* print error and abort */ }
> if (SSL_get_verify_result(ssl) != X509_V_OK) { /* print error and
> abort */ }
> peerCert = SSL_get_peer_certificate(ssl);
> xname = X509_get_subject_name(peerCert);
> X509_NAME_get_text_by_NID(xname, NID_commonName, buf, sizeof(buf));
> printf("buf = %s\n", buf);
> memset(buf, 0, sizeof(buf));
> printf("Reading from BIO\n");
> if(BIO_read(bio, buf, sizeof(buf)) <= 0) { /* print error and abort
> */ }
> printf("buf = %s\n", buf);
> BIO_free_all(bio);
>
> I think my certificates are fine. I can regenerate them and paste here the
> exact commands I use if you think it's necessary!
>
> Again, thanks and any feedback is appreciated as I am completely stuck! =(
>
> Regards,
> Felipe
>
>
> On 1 Feb 2010, at 14:18, Eisenacher, Patrick wrote:
>
>> Hi Felipe,
>>
>>> -----Original Message-----
>>> From: Felipe Franciosi
>>
>> [snip]
>>
>>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
>>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_ONCE, NULL);
>>
>>> I believe my client is irrelevant at this point, because if I use
>>> "openssl s_server", it works beautifully with my client.
>>> However, when
>>> I use my server and my client (or openssl s_client), it fails
>>> accusing
>>> my client of not providing the certificate. All points to my server
>>> not requesting the client certificate properly.
>>
>> You configured your server to stop the handshake if the client doesn't
>> provide a certificate. And that's - according to the information you provide
>> - exactly what you see.
>>
>> So all points to your client indeed: You have to find out why your client
>> does not send the certificate that your server requests.
>>
>> If you use s_client with your server, I guess you'll see the certificate
>> request message your server is sending. In that message the server tells the
>> client which CAs and which certificates it accepts.
>>
>> So either your client's code is buggy (do you check for error conditions
>> in your OpenSSL invocations? your snippet didn't seem to indicate so), it
>> can't access its certificate, its certificate is not of the types requested
>> by the server or its certificate is not issued by one of the CAs accepted by
>> the server - as indicated in the above mentioned certificate request
>> message.
>>
>> HTH,
>> Patrick Eisenacher
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-us...@openssl.org
>> Automated List Manager majord...@openssl.org
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-us...@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
