SSL based client authentication

Wed, 07 Feb 2007 07:44:47 -0800 

Hi,

I'm writing my own webserver and I want it to be able to do SSL based client
authentication. It can already do HTTPS, but when I try to do the SSL based
client authentication, the connection gets dropped. I use the following
routine to bind a SSL socket.

SSL_CTX *ssl_binding(char *keyfile, char *CA_cert, int verify_depth, char
*dh_file, char *ciphers) {
    SSL_METHOD *meth;
    SSL_CTX    *context;

    if ((meth = SSLv23_method()) == NULL) {
        fprintf(stderr, "SSLv23_method() error\n");
        return NULL;
    }
    if ((context = SSL_CTX_new(meth)) == NULL) {
        fprintf(stderr, "SSL_CTX_new() error\n");
        return NULL;
    }

    SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);

    if (SSL_CTX_use_certificate_chain_file(context, keyfile) != 1) {
        fprintf(stderr, "Error while reading certificate from %s\n",
keyfile);
        return NULL;
    }

    SSL_CTX_set_default_passwd_cb(context, sslPasswordCB);
    if (SSL_CTX_use_PrivateKey_file(context, keyfile, SSL_FILETYPE_PEM) !=
1) {
        fprintf(stderr, "Error while reading private key from %s\n",
keyfile);
        return NULL;
    }

    if (CA_cert != NULL) {
        SSL_CTX_load_verify_locations(context, CA_cert, NULL);
        SSL_CTX_set_verify_depth(context, verify_depth);
        SSL_CTX_set_verify(context, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
    }
    if (dh_file != NULL) {
        if (load_dh_params(context, dh_file) == -1) {
            return NULL;
        }
    }
    if (ciphers != NULL) {
        if (SSL_CTX_set_cipher_list(context, ciphers) == 0) {
            return NULL;
        }
    }

    return context;
}

When CA_cert is NULL, no SSL client authentication is done, and everything
(HTTPS) works fine. But when I specify a CA certificate via CA_cert, I get a
"select certificate" window in IE6, but when I chose a certificate (it is a
valid one) the connection gives errors. Some of the HTTP content gets
through to the browser, some (like the pictures inside the HTML page) not.
The SSL_read() en SSL_write() give me (via SSL_get_error()) the
SSL_ERROR_SSL value. I've searched and googled, but I can't find anything
that looks like my problem.

I hope anyone can tell what I am doing wrong or point me to some good
documentation. Thanks!


P.S.
Sorry for the bad english :)
-- 
View this message in context: 
http://www.nabble.com/SSL-based-client-authentication-tf3169307.html#a8791684
Sent from the OpenSSL - User mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to