confused with openssl server/client behavior

Mon, 05 Sep 2011 00:20:32 -0700 

Hi,

There must be something wrong with my assumptions or theory while I can get
connected openssl client and server with different certs.

What I do is:

create CA:
         openssl genrsa -out ca_key.pem 1024
         openssl req -config openssl.cnf -new -x509 -key ca_key.pem -out
ca.crt

create server and client certs:
         openssl req -config openssl.cnf -newkey rsa:1024 -keyout
server_key.pem -out server.csr -nodes
         openssl ca -config openssl.cnf -keyfile ca_key.pem -cert ca.crt -in
server.csr -out server.crt -notext
         openssl req -config openssl.cnf -newkey rsa:1024 -keyout
client_key.pem -out client.csr -nodes
         openssl ca -config openssl.cnf -keyfile ca_key.pem -cert ca.crt -in
client.csr -out client.crt -notext

create another CA:
         openssl req -config openssl.cnf -newkey rsa:1024 -keyout
another_client_key.pem -out another_client.csr -nodes
         openssl ca -config openssl.cnf -keyfile another_ca_key.pem -cert
another_ca.crt -in another_client.csr -out another_client.crt -notext

create another client cert:
         openssl req -config openssl.cnf -newkey rsa:1024 -keyout
another_client_key.pem -out another_client.csr -nodes
         openssl ca -config openssl.cnf -keyfile another_ca_key.pem -cert
another_ca.crt -in another_client.csr -out another_client.crt -notext

When I start server and client using same CA I get the connection right:

         openssl s_server -accept 3333 -cert server.crt -key server_key.pem
-state -ssl3 -CAfile ca.crt -Verify 1
         openssl s_client -connect 127.0.0.1:3333 -cert client.crt -key
client_key.pem -CAfile ca.crt -verify 1

Server accepts connection and client connects with `Verify return code: 0
(ok)`. Messages can be send and recieved. Nice. 

Now, when I start the same server and client using `another_` CA it connects
the same way:

         openssl s_server -accept 3333 -cert server.crt -key server_key.pem
-state -ssl3 -CAfile ca.crt -Verify 1
         openssl s_client -connect 127.0.0.1:3333 -cert another_client.crt
-key another_client_key.pem -CAfile another_ca.crt -verify 1

This time the client says `Verify return code: 19 (self signed certificate
in certificate chain)`, but server did accept the client event with totally
different cert and CA and event let it speak with it! So wtf? How can I
authentify the client and not to let unknown clients to connect to my server
securely? Please help :-(
-- 
View this message in context: 
http://old.nabble.com/confused-with-openssl-server-client-behavior-tp32396398p32396398.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to