I'm not sure if it would make a diff, but I use a callback function in my
SSL_CTX_set_verify().
Regards,
David
--------------------------------------------------
From: "Felipe Franciosi" <fel...@paradoxo.org>
Sent: Monday, February 01, 2010 10:55 AM
To: <openssl-users@openssl.org>
Subject: Re: Server won't request for client certificate
Dear Patrick,
Thanks for the reply!
I took the error checking out on purpose for the sake of the message
size. I'm sending my client's code, but I still think the problem is
on the server.
If I use s_server with my client, it works. If I use s_client with my
server, it fails. If I use my server with my client, it fails.
Here's my client's code:
SSL_load_error_strings();
ERR_load_BIO_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
X509 *peerCert;
X509_NAME *xname;
BIO *bio;
SSL * ssl;
SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
char buf[256];
memset(buf, 0, sizeof(buf));
if (!SSL_CTX_load_verify_locations(ctx, "ca.crt", NULL)) { /*
print error and abort */ }
if (!SSL_CTX_use_certificate_file(ctx, "client.crt",
SSL_FILETYPE_PEM)) { /* print error and abort */ }
if (!SSL_CTX_use_PrivateKey_file(ctx, "client.key",
SSL_FILETYPE_PEM)) { /* print error and abort */ }
if ((bio = BIO_new_ssl_connect(ctx)) == NULL) { /* print
error and abort */ }
BIO_get_ssl(bio, & ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(bio, "localhost:9443");
if(BIO_do_connect(bio) <= 0) { /* print error and abort */ }
if (SSL_get_verify_result(ssl) != X509_V_OK) { /* print error
and abort */ }
peerCert = SSL_get_peer_certificate(ssl);
xname = X509_get_subject_name(peerCert);
X509_NAME_get_text_by_NID(xname, NID_commonName, buf,
sizeof(buf));
printf("buf = %s\n", buf);
memset(buf, 0, sizeof(buf));
printf("Reading from BIO\n");
if(BIO_read(bio, buf, sizeof(buf)) <= 0) { /* print error and
abort */ }
printf("buf = %s\n", buf);
BIO_free_all(bio);
I think my certificates are fine. I can regenerate them and paste here
the exact commands I use if you think it's necessary!
Again, thanks and any feedback is appreciated as I am completely
stuck! =(
Regards,
Felipe
On 1 Feb 2010, at 14:18, Eisenacher, Patrick wrote:
Hi Felipe,
-----Original Message-----
From: Felipe Franciosi
[snip]
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_ONCE, NULL);
I believe my client is irrelevant at this point, because if I use
"openssl s_server", it works beautifully with my client.
However, when
I use my server and my client (or openssl s_client), it fails
accusing
my client of not providing the certificate. All points to my server
not requesting the client certificate properly.
You configured your server to stop the handshake if the client
doesn't provide a certificate. And that's - according to the
information you provide - exactly what you see.
So all points to your client indeed: You have to find out why your
client does not send the certificate that your server requests.
If you use s_client with your server, I guess you'll see the
certificate request message your server is sending. In that message
the server tells the client which CAs and which certificates it
accepts.
So either your client's code is buggy (do you check for error
conditions in your OpenSSL invocations? your snippet didn't seem to
indicate so), it can't access its certificate, its certificate is
not of the types requested by the server or its certificate is not
issued by one of the CAs accepted by the server - as indicated in
the above mentioned certificate request message.
HTH,
Patrick Eisenacher
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org