Thansk for you answer
The name in the certificate will not be automatically verified for
you. Your application has to verify that the name specified in the
certificate somehow matches who your peer claims to be. So if client
verifies a certificate of a server it should make sure that the name
in certificate matches the hostname that it used to connect to this
server. With client it's usually app specific -- somewhere as part of
your protocol your client is probably supplying username or something
like that -- this username should be verified to be mentioned in the
certificate. If your server doesn't do any authentication of the
client you don't need the client certificate at all.
For now, I don't even want to verify anything. and even when implenting
the server and using it with a web browser, I have problems : FireFox
works wuite fine, but I can't have any page displayed with IE 6.
I've read the man pages for SSL_accept and the only clue I first
found was the non-blocking socket. And mine was already non-blocking.
What do you mean then?
I tried to continue despite the WANT_READ error and when I call
BIO_gets, it does not read anything : it returns -1 (and
SSL_ERROR_SSL if I use SSL_get_error which I'm not sure)
When the socket is non-blocking you have to pretty mcuh always assume
that any call can fail with WANT_READ or WANT_WRITE and you will have
to just repeat the call again. Usually it is a good idea to do
appropriate (read or write) select() before repeating the call.
What if I use a blocking socket?
Anyway, as I can now start to connect to my server via a web browser,
I'm coming to the client part.
The SSL_connect always return 0.
here are the piece of code I wrote :
----------------------------------------------------------------------------------------------------------------------------------
client part:
/* Build our SSL context*/
SSL_METHOD *meth;
/* Global system initialization*/
SSL_library_init();
SSL_load_error_strings();
//OpenSSL_add_all_algorithms();
// Create our context
meth=SSLv23_method();
ctxSSLContext=SSL_CTX_new(meth);
if (!(SSL_CTX_load_verify_locations (ctxSSLContext, CA_LIST, NULL)))
{
printf ("Can't read CA list\n");
}
/* Connect the SSL socket */
sslSocket = SSL_new (ctxSSLContext);
//SSL_set_fd (sslSocket, SocketId);
if (!sslSocket)
{
printf(" sslSocket is NULL\n");
}
bioSSLSocket = BIO_new_socket (SocketId, BIO_NOCLOSE);
if (!bioSSLSocket)
{
printf (" bioSSLSocket is NULL\n");
}
SSL_set_bio (sslSocket, bioSSLSocket, bioSSLSocket);
int r = SSL_connect (sslSocket);
if((r <= 0))
{
int r = SSL_get_error (sslSocket, r);
printf ("SSL_connect error %d \n", r);
}
printf ("SSL connect connection using %s\n", SSL_get_cipher
(sslSocket));
----------------------------------------------------------------------------------------------------------------------------------
server part:
/* Build our SSL context*/
SSL_METHOD *meth;
/* Global system initialization*/
SSL_library_init();
SSL_load_error_strings();
//OpenSSL_add_all_algorithms();
// Create our context
meth=SSLv23_method();
ctxSSLContext=SSL_CTX_new(meth);
if (!( SSL_CTX_use_certificate_chain_file (ctxSSLContext, KEYFILE)))
{
printf ("Can't read certificate server file\n");
}
SSL_CTX_set_default_passwd_cb (ctxSSLContext, SSHPasswordCallback);
if (!(SSL_CTX_use_PrivateKey_file (ctxSSLContext, KEYFILE,
SSL_FILETYPE_PEM)))
{
printf ("Can't read key file\n");
}
if (!SSL_CTX_check_private_key (ctxSSLContext))
{
printf ("Can't check key file\n");
}
if (!(SSL_CTX_load_verify_locations (ctxSSLContext, CA_LIST, NULL)))
{
printf ("Can't read CA list\n");
}
// SSL
ptrSocket->sslSocket = SSL_new (ctxSSLContext);
//SSL_set_fd (sslSocket, GetSocketId ());
if (!ptrSocket->sslSocket)
{
printf(" sslSocket is NULL\n");
}
ptrSocket->bioSSLSocket = BIO_new_socket (GetSocketId (), BIO_NOCLOSE);
if (!bioSSLSocket)
{
printf(" bioSSLSocket is NULL\n");
}
SSL_set_bio (sslSocket, bioSSLSocket, bioSSLSocket);
//SSL_set_mode (sslSocket, SSL_MODE_AUTO_RETRY);
int iError = SSL_accept (sslSocket);
if ((iError <= 0))
{
int r = SSL_get_error (sslSocket, iError);
printf ("SSL_accept error %d \n", r);
}
printf ("SSL accept connection using %s\n", SSL_get_cipher
(ptrSocket->sslSocket));
ptrSocket->bioIO = BIO_new (BIO_f_buffer ());
ptrSocket->bioSSL_BIO = BIO_new (BIO_f_ssl ());
BIO_set_ssl (ptrSocket->bioSSL_BIO, ptrSocket->sslSocket, BIO_CLOSE);
BIO_push (ptrSocket->bioIO, ptrSocket->bioSSL_BIO);
----------------------------------------------------------------------------------------------------------------------------------
And in my socket Send and Receive methods, I Use BIO_read and
BIO_write/BIO_flush functions.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
