Re: Client -server certificate validation
Hi, I have seen a lot of posting on client certificate validation. But no clean answer to client authentication. I see a reply and finally the poster replies saying it doesnt work. It seems a lot of people have problems with this and never got a perfect answer. I like to implement mutual certificate authentication. I used the sample code in all the postings. Whenever I do a get_peer_certificate function on the serverside, it returns NULL. Being the prime contact person on this list, could you please help me setting up a sample client program which presents certificate to server so that get_peer_Certificate wont return NULL and I can do verify on the certificate. Sudeep From: Lutz Jaenicke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Client -server certificate validation Date: Thu, 7 Dec 2000 23:23:17 +0100 On Thu, Dec 07, 2000 at 04:34:43PM -0500, Sudeep Sudhakaran wrote: I am trying to run s_server.c and s_client.c. I am trying to include two way certificate verification. Whenever I do a peer=SSL_get_peer_certificate(con); on the server side it always returns null. I am specifiying a client certificate on the s_client.c I am not that used to these certificate stuff. So I picked up the client.pem /server.pem which comes with apps samples for client/server. I tried searching for SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) and I cant find what is CAfile and CApath. Is there something I should specifiy here.. Please check out the latest state of the documentation available at www.openssl.org. There are several links at the bottom of ssl(3). Please check especially SSL_CTX_set_verify(3) and SSL_CTX_load_verify_locations(3). If this is not enough, check out the mailing list archive and search for SSL_VERIFY_PEER client certificate. You will see, that this topic has been discussed several times in the past. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client -server certificate validation
On Fri, Dec 08, 2000 at 11:14:07AM -0500, Sudeep Sudhakaran wrote: Hi, I have seen a lot of posting on client certificate validation. But no clean answer to client authentication. I see a reply and finally the poster replies saying it doesnt work. It seems a lot of people have problems with this and never got a perfect answer. I like to implement mutual certificate authentication. I used the sample code in all the postings. Whenever I do a get_peer_certificate function on the serverside, it returns NULL. Being the prime contact person on this list, could you please help me setting up a sample client program which presents certificate to server so that get_peer_Certificate wont return NULL and I can do verify on the certificate. First step is to understand the TLS protocol. The client will present a certificate if and only if explicitly asked by the server. Hence it is mandatory to use the SSL_CTX_set_verify() command in the server software: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, callback_function); (More details to be found in the manual page for SSL_CTX_set_verify().) If this flag is being set, an OpenSSL client doing SSL_connect() will send its certificate (provided certificate and private key have been installed succesfully) to the server. (More details: the server will send a list of CAs of which it will accept client certificates; OpenSSL clients tend to ignore this list and send the certificate they have, matching the CA or not. To use this CA list feature, please check out the manual pages for SSL_CTX_load_verify_locations() and SSL_CTX_set_client_CA_list().) If you don't have these manual pages available, the latest state can always be accessed in the documentation section at www.openssl.org. The s_server and s_client applications as part of the OpenSSL package successfully use certificates. I am successfully using certificates with my Postfix/TLS patchkit (SMTP with TLS enhancement for the postfix email-software), which is available from my homepage. I can 100% assure you that it works! Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
