Hi Dave, I have identified following calls for loading the keys and certificates into CTX. SSL_CTX_use_certificate_chain_file and SSL_CTX_use_PrivateKey_file.
Thanks you for helping me all thru this mail. This thread can be closed. Thanks, Pradeep. Dave Thompson-5 wrote: > >> From: [email protected] On Behalf Of pradeepreddy >> Sent: Monday, 20 September, 2010 09:12 > >> Now I understood the certificate internals. >> In mycode, SSL_CTX_load_verify_locations and >> SSL_CTX_set_client_CA_list(soap->ctx, >> SSL_load_client_CA_file(soap->cafile)), these 2 calls are passed with >> servercert.pem and clientcert.pem files in soap->cafile parameter . >> And I grabbed soap->cafile and soap->capath from >> soap_ssl_server_context & >> soap_ssl_client_context calls, inturn these two calls reading >> from my own >> defined xml schema. >> >> Instead we should pass their respective CA file, i.e., >> cacert.pem, this is >> what I understood, clear me if Iam wrong. >> >> If we pass cacert.pem file in these, which call in openssl >> library will load >> the servercert.pem and clientcert.pem files, because these are 2 files >> client and server has to pass eachother in handshake ? >> Please let me know. >> > I'm sorry, but I can't understand from this what you're doing. > > What needs to happen at the OpenSSL level is: > > - each peer calls SSL_[CTX_]use_PrivateKey* and use_certificate* > with ITS OWN key and certificate, e.g. client calls with > clientkey and clientcert, server calls with serverkey and servercert. > There are several variants of these calls, but since you have > the data in PEM files, it's easiest to use the _file variants. > > - each peer calls SSL_CTX_load_verify_locations specifying > a file which is (your private) cacert.pem, or a directory > that contains that file. The former (one file) is easier. > > - there is no need to call set_client_CA_list (or the > misnamed load_client_CA_file). This function is needed > (in the server only) when authenticating clients that > (try to) select varying identities per the server, > like for example web browsers. In your case the client > is also gsoap/OpenSSL, and it uses one configured > identity regardless of the server CA list. > > *Where* these should be done, and in particular what should be > in your code or should be or is in gsoap I don't know. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > > -- View this message in context: http://old.nabble.com/OPENSSL-SSL_Connect-blocking-tp29708086p29765902.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
