On Fri, Dec 08, 2000 at 11:14:07AM -0500, Sudeep Sudhakaran wrote:
> Hi,
>
> I have seen a lot of posting on client certificate validation. But no clean
> answer to client authentication. I see a reply and finally the poster
> replies saying it doesnt work. It seems a lot of people have problems with
> this and never got a perfect answer.
>
>
> I like to implement mutual certificate authentication. I used the sample
> code in all the postings.
> Whenever I do a get_peer_certificate function on the serverside, it returns
> NULL. Being the prime contact person on this list, could you please help me
> setting up a sample client program which presents certificate to server so
> that get_peer_Certificate wont return NULL and I can do verify on the
> certificate.
First step is to understand the TLS protocol. The client will present
a certificate if and only if explicitly asked by the server.
Hence it is mandatory to use the SSL_CTX_set_verify() command in the
server software:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, callback_function);
(More details to be found in the manual page for SSL_CTX_set_verify().)
If this flag is being set, an OpenSSL client doing SSL_connect() will send
its certificate (provided certificate and private key have been installed
succesfully) to the server.
(More details: the server will send a list of CAs of which it will accept
client certificates; OpenSSL clients tend to ignore this list and send
the certificate they have, matching the CA or not. To use this CA list
feature, please check out the manual pages for SSL_CTX_load_verify_locations()
and SSL_CTX_set_client_CA_list().)
If you don't have these manual pages available, the latest state can always
be accessed in the documentation section at www.openssl.org.
The s_server and s_client applications as part of the OpenSSL package
successfully use certificates.
I am successfully using certificates with my Postfix/TLS patchkit (SMTP with
TLS enhancement for the postfix email-software), which is available from
my homepage. I can 100% assure you that it works!
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
