Hi everybody,
I have a problem when I want to use client authentication. I use OpenSSL
0.9.4.
Here is the code part on the client side:
================================== Client code
==========================================
SSL_load_error_strings();
/* Create a SSL context */
SSLeay_add_ssl_algorithms();
meth=SSLv3_client_method();
*ssl_ctx=SSL_CTX_new(meth);
if(!*ssl_ctx)
return -1;
/* Initialize client certificate and client private key */
if(SSL_CTX_use_certificate_file(*ssl_ctx,"ssl_client_cert.pem",SSL_FILETYPE_
PEM)<=0)
return -1;
if(SSL_CTX_use_PrivateKey_file(*ssl_ctx,"privkey.pem",SSL_FILETYPE_PEM)<=0)
return -1;
if(!SSL_CTX_check_private_key(*ssl_ctx))
return -1;
/* Need the server authentication */
SSL_CTX_set_verify(*ssl_ctx,SSL_VERIFY_PEER,NULL);
/* Set the path in which the trusted certificates are stored */
if(!SSL_CTX_load_verify_locations(*ssl_ctx,NULL,CA_PATH) ||
!SSL_CTX_set_default_verify_paths(*ssl_ctx))
return -1;
/* Start SSL negotiation */
*ssl_connection=SSL_new(ssl_ctx);
if(!*ssl_connection)
return -1;
SSL_set_fd(*ssl_connection,socket);
status=SSL_connect(*ssl_connection);
if(status==-1)
return status;
====================================== End of client code
===============================
Here is the code part on the server side:
==================================== Server code
====================================
/* Load the SSL error strings */
/* and add cipher algorithms */
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
/* Load the server methods */
server_meth=SSLv3_server_method();
/* Create a new SSL context */
*ssl_ctx=SSL_CTX_new(server_meth);
if(!*ssl_ctx)
return -1;
/* Initialize server certificate and server private key */
if(SSL_CTX_use_certificate_file(*ssl_ctx,config.certificate_file,SSL_FILETYP
E_PEM)<=0)
return -1;
if(SSL_CTX_use_PrivateKey_file(*ssl_ctx,config.private_key_file,SSL_FILETYPE
_PEM)<=0)
return -1;
/* Check if the private key corresponds to the public key */
if(!SSL_CTX_check_private_key(*ssl_ctx))
return -1;
/* Need the client authentication */
SSL_CTX_set_verify(*ssl_ctx,SSL_VERIFY_PEER,NULL);
/* Set the path in which the trusted certificate are stored */
if(!SSL_CTX_load_verify_locations(*ssl_ctx,NULL,CA_PATH)||
!SSL_CTX_set_default_verify_paths(*ssl_ctx))
return -1;
/* Perform the SSL handshake protocol */
*ssl_connection=SSL_new(ssl_ctx);
if(!*ssl_connection)
return -1;
/* Attach the socket identifier to the SSL connection */
SSL_set_fd(*ssl_connection,socket);
status=SSL_accept(*ssl_connection);
if(status==-1)
return status;
================================== End of server code
==============================
The error appears on the server side during the SSL_accept call. In fact,
the server crashes when it receives the client key exchange message. When it
performs a SSL3_read_bytes and then a BIO_read, these functions returns -1
as if the connection was broken.
When the server does not require the client authentication, the code works
fine. Moreover, there is not a readable error message since I only received
-1 as the return value.
If someone has an idea .........
Thanks in advance.
==============================
Christophe LAURENT
Security Laboratory
Corporate Research Rennes
Research & Innovation
Thomson Multimedia
1, Avenue Belle Fontaine
35 511 Cesson S�vign� - FRANCE
Tel : (33) 02.99.27.30.37
Fax : (33) 02.99.27.30.18
e-mail : [EMAIL PROTECTED]
==============================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
