On Mon, Sep 17, 2007 at 05:43:16AM -0700, avizel wrote:
>
> Our server application expects from connecting clients to show their
> certificate to checks their CN,OU and decide what permissions to allow for
> that client
>
> I generated a client certificate and embedded encrypted private key in it.
> Everything works.
>
> But now I want to avoid using private key of the client to avoid hassle
> managing private key and storing passwords for it. It seems that public
> encryption is the way to go. (Sorry, I'm still very confused in
> terminology)
>
> I generated a client certificate without private key in it and do not call
> anymore
> following functions which I had before
> SSL_CTX_set_default_passwd_cb(...);
> SSL_CTX_use_PrivateKey_file(...);
>
> But now SSL_connect fails returning -1 and SSL_get_error doesn't give me a
> clue. What am I doing wrong?
>
> Is it possible to achieve?
No, TLS clients don't just present client certs, they sign the handshake
with the corresponding private key. It is not possible or useful to accept
public key certs without proof that the peer holds the corresponding private
key.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
