Re: Public encryption and showing certificate to the server
On Mon, Sep 17, 2007 at 05:43:16AM -0700, avizel wrote: Our server application expects from connecting clients to show their certificate to checks their CN,OU and decide what permissions to allow for that client I generated a client certificate and embedded encrypted private key in it. Everything works. But now I want to avoid using private key of the client to avoid hassle managing private key and storing passwords for it. It seems that public encryption is the way to go. (Sorry, I'm still very confused in terminology) I generated a client certificate without private key in it and do not call anymore following functions which I had before SSL_CTX_set_default_passwd_cb(...); SSL_CTX_use_PrivateKey_file(...); But now SSL_connect fails returning -1 and SSL_get_error doesn't give me a clue. What am I doing wrong? Is it possible to achieve? No, TLS clients don't just present client certs, they sign the handshake with the corresponding private key. It is not possible or useful to accept public key certs without proof that the peer holds the corresponding private key. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Public encryption and showing certificate to the server
Our server application expects from connecting clients to show their certificate to checks their CN,OU and decide what permissions to allow for that client I generated a client certificate and embedded encrypted private key in it. Everything works. Gret. But now I want to avoid using private key of the client to avoid hassle managing private key and storing passwords for it. It seems that public encryption is the way to go. (Sorry, I'm still very confused in terminology) How would that possibly work? If there is nothing that the client knows that nobody else knows, how do you expect it to prove its identity? Public encryption means the *server* does not need the client's private key to verify that the client knows the private key. If the client doesn't know its own private key, the certificate does no good. I generated a client certificate without private key in it and do not call anymore following functions which I had before SSL_CTX_set_default_passwd_cb(...); SSL_CTX_use_PrivateKey_file(...); But now SSL_connect fails returning -1 and SSL_get_error doesn't give me a clue. What am I doing wrong? Is it possible to achieve? If the client does not have the private key corresponding to the public key in the certificate, how can it prove the certificate is for it rather than someone else? How do you imagine this is supposed to work? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]