Re: Client side verification?

Richard Levitte - VMS Whacker Thu, 20 Apr 2000 04:28:26 -0700
From: Douglas **UNKNOWN CHARSET** <[EMAIL PROTECTED]>

douglas> Ive written some code that must function both as client and
douglas> server. The server part works fine, since the server is also
douglas> a webserver ive verified that the serverpart is able to
douglas> verify a client by importing a cert into Navigotor and using
douglas> Navigator to connect to the server. Now I want the server to
douglas> contact another instance of the same server (on another
douglas> machine). The context I use is created by NET_ssl_ctx_new
douglas> (somewhat edited below for readability). NET_vp_ssl_connect
douglas> is supposed to return a BIO so that I can write stuff to the
douglas> server e.g. command for changing how the server behaves. No
douglas> errors are thrown, but when I try to use the BIO returned by
douglas> NET_vp_ssl_connect it throws an error.

Looking at the code, I assume that the certificate and key that you
"register" in NET_ssl_ctx_new are the server certificate and key,
which would explain why that part works.  But in that case, you're not
"registering" any client-side certificate or key anywhere.  What you
need is to add two lines between SSL_new() and SSL_set_fd():

        SSL_use_certificate_file(ssl, scr_ctx->client_cert, SSL_FILETYPE_PEM);
        SSL_use_PrivateKey_file(ssl, scr_ctx->client_key, SSL_FILETYPE_PEM);

Unless you wanted to use exactly the same certificate and key for both
ends of the communication?  I find that use dubious, especially if you
have some kind of constraints or use extensions in your cert.

Also, you didn't say what kind of error the BIO throws at you...

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis             -- [EMAIL PROTECTED]
           Member of the OpenSSL development team

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Client side verification?

Reply via email to
