Ok... I created the certificates and private keys for server and client...
At server side I'm using the certificate and the private key in the same
file and Calling SSL_CTX_use_PrivateKey_file() and
SSL_CTX_use_certificate_chain_file() to this file. At client side I'm using
the "openssl s_client" command to teste the server with parameters "-key
client.pem -cert client.crt". Until here all works fine....
But when I set "SSL_CTX_set_verify(context,SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);" the server does not accept the session
saying "5208:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned:.\ssl\s3_srvr.c:2525:".
I tried to copy the client certificate to same file server.pem, but it's
still not working.
Which private keys and certificates I need to put at server.pem and/or
client.pem/.crt to authentication work properly?? At this time I use a CA.
Thanks,
Renato A. Ferreira
----- Original Message -----
From: "David Schwartz" <[EMAIL PROTECTED]>
To: <openssl-users@openssl.org>
Sent: Wednesday, June 25, 2008 12:09 AM
Subject: RE: Generating keys to be used in a specific implementation
I have an desktop/server agent that listen for TCP connections to
process some information. And now i´m trying to implement privacy
and authentication to this application, to unsure that only my
trusted application interact with these TCP agents.
Another problem is that I'm not sure if It really needs a
self-signed certificate to authenticate the clients in a scenario
that is already implemented a method with fixed pair of private keys.
Someone could help me in this objective?
Examples, articles and documentations will be apreciated.
Since you have complete control over both ends (right?) then you can just
generate keys and certificates following any web page and then hard code
each side to check for the key it's expecting from the other side.
You can generate a key with 'openssl genrsa -out key.pem 1024'. You can
generate a self-signed certificate by following the instructions:
http://www.akadia.com/services/ssh_test_certificate.html
http://sial.org/howto/openssl/self-signed/
If you are 100% sure both ends will always be trusted, you can simply
include the server certificate, client certificate, and client key in the
client. You include the client certificate, client key, and server
certificate in the server. Then just confirm that the other side is using
the proper certificate.
Note that this means compromising one client compromises them all.
It's more complex, but arguably, the right approach is to create your own
CA. Issue a client to the server with a common name the clients check for.
Issue each client its own certificate for a different key with a different
common name. This will mean that compromising one client doesn't compromise
them all and will also allow the server to securely determine what client
it's talking to.
This will also require less specialized coding, since you can simply hard
code the CA's certificate in the client and server, and then they don't need
any special code to recognize the clients -- just tell OpenSSL that our CA
certificate is the only CA.
If you choose to go that way:
http://www.octaldream.com/~scottm/talks/ssl/opensslca.html
http://sial.org/howto/openssl/ca/
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
