Re: simple server with using openssl
El día Saturday, October 06, 2012 a las 01:37:06PM -0400, Indtiny s escribió: Hi, Thanks for the information .. I get the server part from the this link http://www.rtfm.com/openssl-examples/ I started the server but I am getting the following error when I am trying You did not say exactly which 'server' you started, perhaps the 'wserver' from the openssl-examples-20020110 run the client by $curl http://127.0.0.1:8080 you should use an SSL client, for example 'wclient' from the examples or the openssl' s_client; AT the server side : 3078153864:error:140EC0AF:SSL routines:SSL2_READ_INTERNAL:non sslv2 initial packet:s2_pkt.c:187: I think this is normal, because you did not contacted the server with some SSL client; At the client side : curl: (56) Recv failure: Connection reset by peer normal too; HIH matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: simple server with using openssl
Hi, Thanks.. I tried that it works ... Now let me know how to use it for my application .. I need a very simple webserver which receive the* https post and ge*t request from any *external client* . and provide proper response to the client .. In my application maximum clients would be two . Can you pls tell me , what are the necessary chages I need to look in to the openssl server code in order obtain the above features. . Rgds Indu
Re: Best practice for client cert name checking
On Sat, Oct 6, 2012 at 2:52 PM, Charles Mills charl...@mcn.org wrote: I have recently written a product that incorporates SSL/TLS server code that processes client certificates. I designed what I thought made sense at the time but now I am wondering if what I did was best. In the product's configuration file the sysadmin may optionally include a whitelist of client names. If the sysadmin does so, then the server requests a client certificate. At least one of the names (subject O= and Alternative names, including wildcards) in the certificate must match one of the names in the whitelist or I reject the session. Something I saw recently got me to wondering whether I should have made some sort of provision for checking IP addresses: perhaps verifying that the client IP address appeared in the Alternative names in the client certificate as well as in the whitelist? Or perhaps that the IP address matched an alternative name and the subject name appeared in the whitelist? Comments? You don't say what you're trying to achieve! But whatever it is, none of the above makes a lot of sense - anyone can make a cert with whatever subject and alternate names they want... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Best practice for client cert name checking
Trying to achieve client authentication. Should I have said certificate signed by a CA known to the server? Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Laurie Sent: Saturday, October 06, 2012 10:38 AM To: openssl-users@openssl.org Subject: Re: Best practice for client cert name checking On Sat, Oct 6, 2012 at 2:52 PM, Charles Mills charl...@mcn.org wrote: I have recently written a product that incorporates SSL/TLS server code that processes client certificates. I designed what I thought made sense at the time but now I am wondering if what I did was best. In the product's configuration file the sysadmin may optionally include a whitelist of client names. If the sysadmin does so, then the server requests a client certificate. At least one of the names (subject O= and Alternative names, including wildcards) in the certificate must match one of the names in the whitelist or I reject the session. Something I saw recently got me to wondering whether I should have made some sort of provision for checking IP addresses: perhaps verifying that the client IP address appeared in the Alternative names in the client certificate as well as in the whitelist? Or perhaps that the IP address matched an alternative name and the subject name appeared in the whitelist? Comments? You don't say what you're trying to achieve! But whatever it is, none of the above makes a lot of sense - anyone can make a cert with whatever subject and alternate names they want... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org