David
Mon, 01 Feb 2010 11:38:42 -0800
I'm not sure if it would make a diff, but I use a callback function in my SSL_CTX_set_verify(). Regards, David -------------------------------------------------- From: "Felipe Franciosi" <fel...@paradoxo.org> Sent: Monday, February 01, 2010 10:55 AM To: <openssl-users@openssl.org> Subject: Re: Server won't request for client certificate
Dear Patrick, Thanks for the reply!I took the error checking out on purpose for the sake of the message size. I'm sending my client's code, but I still think the problem is on the server. If I use s_server with my client, it works. If I use s_client with my server, it fails. If I use my server with my client, it fails.Here's my client's code: SSL_load_error_strings(); ERR_load_BIO_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); X509 *peerCert; X509_NAME *xname; BIO *bio; SSL * ssl; SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method()); char buf[256]; memset(buf, 0, sizeof(buf));if (!SSL_CTX_load_verify_locations(ctx, "ca.crt", NULL)) { /* print error and abort */ } if (!SSL_CTX_use_certificate_file(ctx, "client.crt", SSL_FILETYPE_PEM)) { /* print error and abort */ } if (!SSL_CTX_use_PrivateKey_file(ctx, "client.key", SSL_FILETYPE_PEM)) { /* print error and abort */ }if ((bio = BIO_new_ssl_connect(ctx)) == NULL) { /* print error and abort */ }BIO_get_ssl(bio, & ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(bio, "localhost:9443"); if(BIO_do_connect(bio) <= 0) { /* print error and abort */ }if (SSL_get_verify_result(ssl) != X509_V_OK) { /* print error and abort */ }peerCert = SSL_get_peer_certificate(ssl); xname = X509_get_subject_name(peerCert);X509_NAME_get_text_by_NID(xname, NID_commonName, buf, sizeof(buf));printf("buf = %s\n", buf); memset(buf, 0, sizeof(buf)); printf("Reading from BIO\n");if(BIO_read(bio, buf, sizeof(buf)) <= 0) { /* print error and abort */ }printf("buf = %s\n", buf); BIO_free_all(bio);I think my certificates are fine. I can regenerate them and paste here the exact commands I use if you think it's necessary!Again, thanks and any feedback is appreciated as I am completely stuck! =(Regards, Felipe On 1 Feb 2010, at 14:18, Eisenacher, Patrick wrote:Hi Felipe,-----Original Message----- From: Felipe Franciosi[snip]SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_ONCE, NULL);I believe my client is irrelevant at this point, because if I use "openssl s_server", it works beautifully with my client. However, when I use my server and my client (or openssl s_client), it fails accusing my client of not providing the certificate. All points to my server not requesting the client certificate properly.You configured your server to stop the handshake if the client doesn't provide a certificate. And that's - according to the information you provide - exactly what you see.So all points to your client indeed: You have to find out why your client does not send the certificate that your server requests.If you use s_client with your server, I guess you'll see the certificate request message your server is sending. In that message the server tells the client which CAs and which certificates it accepts.So either your client's code is buggy (do you check for error conditions in your OpenSSL invocations? your snippet didn't seem to indicate so), it can't access its certificate, its certificate is not of the types requested by the server or its certificate is not issued by one of the CAs accepted by the server - as indicated in the above mentioned certificate request message.HTH, Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.orgAutomated List Manager majord...@openssl.org
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org