That didn't work. I immediately got an error from the server :
SSL3_GET_CLIENT_HELLO: no shared cipher.
Do you know what my original error meant:
SSL_BYTES_TO_CIPHER_LIST:scsv received when renegotiating
Maybe if I know what it is referring to I can track down the issue. There
isn't much posted on the net about it.
On , castre...@gmail.com wrote:
Hi Eriwin,
Your response does make sense but I need to clarify.
I created a CA Certifcate and a private key.( CA.cert and CAPrivate.key)
I then created a server certificate request ( server.csr and server.key)
and signed it with the CA's private key, creating the
following 2 files: server.crt, and server.pem.
Now currently in my program the server-side is loading the server.pem
file and the server.key file.
The client-side is loading the CA.cert.
So if I understand what you are saying above. I need to reverse the
loading ( below is what I currently have in my code:
if(ac.user() == server)
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_server);
_ssl_context-set_certificate(ssl\\subexec\\certs\\01.pem,
ssl\\subexec\\private\\server.key);
}
else //client
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_client);
_ssl_context-set_ca_certificate(ssl\\subexec\\certs\\ca.crt);
}
Are you saying it should be :
if(ac.user() == client)
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_server);
_ssl_context-set_certificate(ssl\\subexec\\certs\\01.pem,
ssl\\subexec\\private\\server.key);
//_ssl_context-set_ca_certificate(ssl\\subexec\\certs\\ca.crt);
}
else //client
{
_ssl_context = new ssl::context(ssl::method_sslv3, ssl::role_client);
_ssl_context-set_ca_certificate(ssl\\subexec\\certs\\ca.crt);
}
On , Erwin Himawan ehima...@gmail.com wrote:
You metion that:
Server loads its server certificate and private key ( self-signed by a
CA that I created).
I would liem to clarify: the server cert is a self signed cert? or the
CA cert is a self signed cert?
If the server cert is a self signed cert, the server is actually the
ca, which in this case, the client needs the server slef signed cert.
If the server is not a self-signed cert, make sure that the ca
self-signed cert can verify the server cert. You can use the openssl
verify CLI to do this. If you can then give the ca cert to client. If i
remember correctly, when you set the verify peer to none, the server does
not do cert-based auth on the client. however, tls spec specifies that
client must do cert-based auth on the server. so, server must send the
client its cert.
hopefully, my reply make sense.
On Wed, Jul 27, 2011 at 3:52 PM, castre...@gmail.com wrote:
I need some help.
I am basically stuck and don't know how to fix the handshake and must
be missing something.
Perhaps it is something with the certificates.
I have a server certificate/privatekey and a CA certificate.
Server loads its server certificate and private key ( self-signed by a
CA that I created).
The client loads the CA certificate.
Using memory buffers and blocking IO.
I begin the handshake by the client intiating hello message.
The server reads message, and data is put in its ssl output. This is
sent back to client.
The client read the data ( SSL_read) and data it populated in the ssl
output. This is sent back to the server. ( it is waiting for more input
from server)
The server reads the data (SSL_read) and nothing is generated in
outbut it is waiting for more information from client.
Basically I am at a stale mate now.
What information am I missing.
When I go and look at what state the client is in it say it is
UNKWN..what does this imply
Do I need a client certificate even though I have programmed the server
to be a VERIFY_PEER_NONE?
Does anybody have any references/books I can go get to help me with
this issue...I am completely lost and confused.
Note: I am currently working on windows.