On 8/27/2012 3:46 PM, Charles Mills wrote:
I'm just trying to understand the SSL protocol -- this is not an
alleged bug
or an "issue."
In OpenSSL s_client, or for that matter, in my client test program, an
attempt to use a *client* certificate fails unless I also specify -key or
call SSL_CTX_use_PrivateKey_file().
Why? What role does the private key play with a *client* certificate? My
understanding -- admittedly perhaps flawed -- is that the role of a client
certificate is solely to authenticate the client. Isn't that role complete
with just a CA-signed certificate? There's no encryption based on the
client
certificate, right? So what role does the key play? If none, why does
OpenSSL fail without it?
Basic principle: A certificate is not secret, it is a public statement
by a CA that a public key matches a private key belonging to a certain
person or other entity.
So just sending the client *certificate* to the server would prove
nothing and is not useful as authentication. Just as handing someone
a (paper) business card doesn't prove it is *your* business card.
Signing some part of the SSL exchange with the clients private key and
sending along the certificate to tell the server what the public key is
and as proof of what identity is proven by the signature does prove a
lot. So that is what SSL does. And that is why an SSL client needs
the private key of the client certificate (if any).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
