Dear all,
Using
openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2
certs
- one for client and the other for the server. I have checked that
these
certificates are ok.
I am attempting to write a SSL client-server
program.
SSL Server:- Java. It has a keystore, which contains the
server cert and the
CA cert.
SSL Client: C. In the program, using
appropraite openssl calls, I have added
the cleint certificate, the private
key and the CA cert to the context.
Please see the code
snippet.
...
Initialization is successful, but the handshake fails. We first
create TCP
socket and then "connect" as shown below. Then, we call
SSL_connect, which
fails with SSL_ERROR_SSL. At this point, the Java server
outputs
SSLException "No Trusted certificate".
>> If you want client authentication, you need to explicitly
state this at the server side(ie., you should ask
the client to send the certificate.) So to verify the authenticity
of the certifiacte you shud have the CA( who signed the cert)in your list of "
trusted CAs ".
I believe you need the
following function..
SSL_CTX_set_verify()
I
somewhere found that java does not support .pem format keystore( but im not
sure). If I am right and if you are using .pem that might also be a
reason.
Hope this helps,
Samy
sd = socket(AF_INET, SOCK_STREAM, 0);
int c = connect(sd, (struct sockaddr*)
&host_id , sizeof(host_id));
// By now, the SSL context is
initialized and the TCP sockets are created.
// Now, SSLize the TCP
sockets.
ssl =
SSL_new(ctx);
// create SSL objects from the SSL
context.
r =
SSL_set_fd (ssl, sd);
// Associate the
network connection with the SSL
object.
int err = SSL_connect (ssl);
// Initiate the SSL handshake
*********FAILS
HERE ************
if (err <= 0)
{
int
errcode = SSL_get_error(ssl, err);
switch(errcode)
{
/* other cases */
case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, "SSL connect:
Protocol
Error."); break;
}
}
Can anyone please tell me what is happenning?
Best
regards,
Ambarish.
______________________________________________________________________
OpenSSL
Project
http://www.openssl.org
User
Support Mailing List
openssl-users@openssl.org
Automated List Manager
[EMAIL PROTECTED]
- RE: SSL_connect fails with SSL_ERROR_SSL Ambarish Mitra
-