Merci beaucoup, Mounir, but I got the same error. Given the time constraints I have, I think my path moving forward is to try another library or two to see if I can find one that uses openSSL properly.
Au plaisir, Remi. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 9:09 PM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi Remi, I don't know what the inputs of your python module are, but from the error message I guess that it's expecting the PEM file to contain also the certificate of the private key and the associated CA chain. For that, I advice you to replace the option "-nocerts" in your command line with "-nodes". Thus: - The output PEM file will contain the private key AND its certificate along with any associated CAs - You will not be asked for a password a second time because the private key in the output PEM file will be unencrypted. After that, you will have to open the output PEM file in a text editor in order to ensure that the certificate that comes just after the private key block is the one associated with the key and not a CA certificate ( a cut and past is almost necessary to put everything in the right order). I hope that with all this steps, you will finally be able to perform your client authentication. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 6:45 PM, Rémi Després-Smyth wrote: > Mounir, > Thank you so much for your answer. > > I did extract the key into a pem file (using command: c:\openssl\bin\openssl > pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using > the key file as output. It got further along in the process - I was > prompted to enter my PEM pass phrase - but a different error came up: > > File "C:\python26\lib\ssl.py", line 113, in __init__ > cert_reqs, ssl_version, ca_certs) > ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL > routines:SSL_CTX_use_certificate_chain_file:PEM lib > > Would you have any insight in regards to the problem here? > > > I should also note that while I was creating the key file, I noticed that I > was prompted to "Enter Import Password", but also to "Enter PEM pass > phrase". Does this mean the private key found in the pfx file is actually > in PEM format to begin with? Does this change your advice at all? > > Regards, > Remi. > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI > Sent: April 13, 2010 11:29 AM > To: openssl-users@openssl.org > Subject: Re: openSSL and PKCS #12 certificates > > Hi, > > OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that > contains functions for parsing and exporting private keys and > certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). > > Concerning the error you are getting, it appears that the phython module > you are using is calling SSL_CTX_use_PrivateKey_file by giving it the > PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file > only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. > In order to correct this, you have two solutions : > - Either feed the python module with the private key in a PEM file. > - Or modify the source code of this python module in order to use the > PKCS#12 functions I mentioned above to extract the private key as an > EVP_PKEY and then call SSL_use_PrivateKey instead of > SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting > the associated certificate. > > The first solution is the easiest because you can simply use the OPENSSL > command line utility in order to extract the private key and its > certificate from the PKCS#12 file as PEM files and then give them as > input to your python module. > > I hope this will help. > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > > On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: > >> Hello. >> >> Ive been trying to setup client authentication using a PKCS #12 >> certificate, and Ive been having some trouble. Im trying to determine >> whether its because its something unsupported in openSSL, or if its a >> problem with the wrapper library Im using (Pythons httplib). Id >> appreciate it if anyone might be able to provide some insight. >> >> >> >> Im getting an error raised by the openSSL library when the wrapper class >> > is > >> trying to instantiate and wrap a socket, and from what Ive been able to >> gather to-date, the error appears to be coming from openSSL: >> >> >> >> Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL >> routines:SSL_CTX_use_PrivateKey_file:PEM lib >> >> >> >> Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug >> around in the source and found that PEM lib is the error text for >> ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB >> > in > >> there. This gives me the impression that openSSL is incorrectly trying to >> load the PKCS #12 cert as a PEM cert, and thus the error which leads me >> > to > >> believe that the wrapper library may not be calling openSSL properly, if >> PKCS #12 certificates should be supported. (Otherwise, why would openSSL >> > be > >> returning an error related to PEM certs and not PKCS #12 certs?) >> >> >> >> Can anyone tell me whether or not openSSL should be able to work with >> PKCS#12 certs? Any advice anyone might have is welcome. (Sorry if this is >> vague; this is the first time I dig into the openSSL project.) >> >> >> >> The certificate appears correct, as Ive tested it by adding it to MSIE >> > and > >> Firefox and Im able to connect to the server. >> >> >> >> Regards, >> >> Remi. >> >> >> >> >> >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
