That didn't work. I immediately got an error from the server :
SSL3_GET_CLIENT_HELLO: no shared cipher.
Do you know what my original error meant:
SSL_BYTES_TO_CIPHER_LIST:scsv received when renegotiating
Maybe if I know what it is referring to I can track down the issue. There
isn't much posted on the net about it.
On , castre...@gmail.com wrote:
Hi Eriwin,
Your response does make sense but I need to clarify.
I created a CA Certifcate and a private key.( CA.cert and CAPrivate.key)
I then created a server certificate request ( server.csr and server.key)
and signed it with the CA's private key, creating the
following 2 files: server.crt, and server.pem.
Now currently in my program the server-side is loading the server.pem
file and the server.key file.
The client-side is loading the CA.cert.
So if I understand what you are saying above. I need to reverse the
loading ( below is what I currently have in my code:
if(ac.user() == server)
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_server);
_ssl_context->set_certificate("ssl\\subexec\\certs\\01.pem",
"ssl\\subexec\\private\\server.key");
}
else //client
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_client);
_ssl_context->set_ca_certificate("ssl\\subexec\\certs\\ca.crt");
}
Are you saying it should be :
if(ac.user() == client)
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_server);
_ssl_context->set_certificate("ssl\\subexec\\certs\\01.pem",
"ssl\\subexec\\private\\server.key");
//_ssl_context->set_ca_certificate("ssl\\subexec\\certs\\ca.crt");
}
else //client
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_client);
_ssl_context->set_ca_certificate("ssl\\subexec\\certs\\ca.crt");
}
On , Erwin Himawan ehima...@gmail.com> wrote:
> You metion that:
> Server loads its server certificate and private key ( self-signed by a
CA that I created).
>
> I would liem to clarify: the server cert is a self signed cert? or the
CA cert is a self signed cert?
>
>
>
> If the server cert is a self signed cert, the server is actually the
ca, which in this case, the client needs the server slef signed cert.
>
> If the server is not a self-signed cert, make sure that the ca
self-signed cert can verify the server cert. You can use the openssl
verify CLI to do this. If you can then give the ca cert to client. If i
remember correctly, when you set the verify peer to none, the server does
not do cert-based auth on the client. however, tls spec specifies that
client must do cert-based auth on the server. so, server must send the
client its cert.
>
>
>
> hopefully, my reply make sense.
>
>
> On Wed, Jul 27, 2011 at 3:52 PM, castre...@gmail.com> wrote:
>
>
> I need some help.
>
>
>
>
>
> I am basically stuck and don't know how to fix the handshake and must
be missing something.
>
>
> Perhaps it is something with the certificates.
>
>
>
>
>
> I have a server certificate/privatekey and a CA certificate.
>
>
>
>
>
> Server loads its server certificate and private key ( self-signed by a
CA that I created).
>
>
> The client loads the CA certificate.
>
>
>
>
>
> Using memory buffers and blocking IO.
>
>
>
>
>
> I begin the handshake by the client intiating hello message.
>
>
> The server reads message, and data is put in its ssl output. This is
sent back to client.
>
>
> The client read the data ( SSL_read) and data it populated in the ssl
output. This is sent back to the server. ( it is waiting for more input
from server)
>
>
> The server reads the data (SSL_read) and nothing is generated in
out....but it is waiting for more information from client.
>
>
>
>
>
> Basically I am at a stale mate now.
>
>
> What information am I missing.
>
>
> When I go and look at what state the client is in it say it is
UNKWN..........what does this imply????
>
>
>
>
>
> Do I need a client certificate even though I have programmed the server
to be a VERIFY_PEER_NONE?
>
>
>
>
>
> Does anybody have any references/books I can go get to help me with
this issue.......I am completely lost and confused.
>
>
>
>
>
> Note: I am currently working on windows.
>
>
>
>
