Re: verify callbacks, error reporting, CA-lists? (newbie)(long)

Fri, 9 Jul 1999 13:48:33 -0700 

Goetz Babin-Ebell wrote:
> 
> At 12:29 09.07.99 +0200, you wrote:
> >Hi All,
> 
> >closes the connection (server is set to verify). This sonnection did work
> >when I was still using 0.8.1.
> >
> >Any suggestions?
> 
> >       // CTX
> >       ctx = SSL_CTX_new(SSLv23_method());
> >       // This is newly added to disble TLSv1 (not in 0.8.1 code)
> >       SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_TLSv1);
> >       SSL_CTX_set_timeout(ctx, CTX_TIMEOUT);
> >       SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
> >       SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
> >       SSL_CTX_set_verify(ctx, SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER,
> >verify_callback);
> >       SSL_CTX_load_verify_locations(ctx, NULL, CaPath);
> >       SSL_CTX_set_default_verify_paths(ctx);
> >
> >       // SLL
> >       ssl = SSL_new(ctx);
> >       SSL_set_connect_state(lpLink->ssl);
> >       SSL_set_fd(ssl, Socket); // ..give socket to ssl
> 
> >       SSL_CTX_use_certificate(ctx, X509_dup(gPubCert));
> >       SSL_CTX_use_RSAPrivateKey(ctx, RSAPrivateKey_dup(gRsaKey));
> 
> use SSL_use_certificate(ssl,gPubCert);
> and SSL_use_PrivateKey(ssl,pkey); or SSL_use_RSAPrivateKey(ssl,gRsaKey);
> 

Or move:

ssl = SSL_new(ctx);

so it is called *after* you've setup the certificate and key. This is
because the certificate and key information is now copied from the
SSL_CTX when SSL_new() is called.

In your code there isn't any certificate or key in the SSL_CTX structure
at the point SSL_new() is called: hence the displayed behaviour.

Also note: the use of SSL_CTX_use_RSAPrivateKey() is not recommened
unless you want to only allow the use of RSA keys. If possible use
SSL_CTX_use_PrivateKey() instead which takes an EVP_PKEY structure.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to