Felipe Franciosi
Sun, 31 Jan 2010 07:05:52 -0800
Dear list,This is too basic for not having been discussed here before, but despite the fact I keep looking in the archives, manual pages and tutorials, I simply can't find a solution. :(
Basically, I wrote a C server and a client and I want them to authenticate each other using X509 certificates (and I'm also using openssl to encrypt the connection).
My problem is that my server simply won't request my client's certificate. I believe the problem is on my server, because if I use "openssl s_server" with my client, everything works fine (using "openssl s_client" with my server also does not work).
What I've done: I created a CA (ca.crt/ca.key).I created a key for my client (client.key) and generated a certificate request (client.csr).
My CA signed the key (generating client.crt). I did the same thing with the server (server.key / .csr / .crt).Then I wrote a server that does the following (without the error checking):
// Variable declarations X509 *peerCert; X509_NAME *xname; SSL_CTX *ctx; SSL *ssl; BIO *bio, *abio, *out, *sbio; char buf[256]; STACK_OF(X509_NAME) *ca_names; const unsigned char ctx_id[] = "my_server"; // Library initialisation SSL_load_error_strings(); SSL_library_init(); ERR_load_BIO_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); // CTX setup ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_quiet_shutdown(ctx, 1); SSL_CTX_load_verify_locations(ctx, "ca.crt", NULL); SSL_CTX_use_certificate_file(ctx, "server.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, "server.key", SSL_FILETYPE_PEM);SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_ONCE, NULL);
SSL_CTX_set_session_id_context(ctx, ctx_id, sizeof(ctx_id));
ca_names = SSL_load_client_CA_file("ca.crt");
SSL_CTX_set_client_CA_list(ctx, ca_names);
// BIO
bio = BIO_new_ssl(ctx, 0);
BIO_get_ssl(bio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
SSL_set_accept_state(ssl);
abio = BIO_new_accept("9443");
BIO_set_accept_bios(abio, bio);
while(1) {
BIO_do_accept(abio);
BIO_do_accept(abio);
out = BIO_pop(abio);
BIO_do_handshake(out);
peerCert = SSL_get_peer_certificate(ssl);
xname = X509_get_subject_name(peerCert);
X509_NAME_get_text_by_NID(xname, NID_commonName, buf, sizeof(buf));
// do stuff
BIO_free_all(out);
}
I believe my client is irrelevant at this point, because if I use
"openssl s_server", it works beautifully with my client. However, when
I use my server and my client (or openssl s_client), it fails accusing
my client of not providing the certificate. All points to my server
not requesting the client certificate properly.
Here is how I use openssl s_server to debug:openssl s_server -accept 9443 -Verify 0 -cert server.crt -key server.key -CAfile ca.crt
Verify 0 or 1 works the same in this case, since my CA signed the certificates directly.
Would anyone know what is wrong? =S Regards, Felipe ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org