Re: ssl3_get_client_certificate: no certificate returned

2011-11-16 Thread Tobias Nissen 
Dr. Stephen Henson wrote:
 On Tue, Nov 15, 2011, Tobias Nissen wrote:  
 Dr. Stephen Henson wrote:  
 On Tue, Nov 15, 2011, Tobias Nissen wrote:  
 I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
 through AnyEvent::TLS². AnyEvent::TLS provides the means to
 define a custom verification mechanism by setting verify_cb³.
 Here's an example (keys included):
 
   http://paste.scsys.co.uk/159837
 
 If the custom verification callback decides a peer is bad, it
 shall return 0 and return 1 otherwise. If 0 is returned, this
 warning is produced:
 
   ssl3_get_client_certificate: no certificate returned  
[...]
 The warning isn't printed by OpenSSL it is an error code. So
 perhaps the wrapper is printing the error?  
 
 I didn't find it in either of the wrapper modules, but I did in
 OpenSSL:
 
   tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned *
   doc/ssleay.txt:Error because no certificate returned.
   ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no
 certificate returned},  
 
 Yes but that's a textual version of the error. OpenSSL does not print
 it out: an application call is needed to do that.  

Ah OK. However, I checked with AnyEvent::TLS and Net::SSLeay, neither
of those seems to emit this error message. SSLeay, which is what
AnyEvent::TLS uses, imports a lot of OpenSSL macros, but not
SSL_R_NO_CERTIFICATE_RETURNED. My guess is, that the error is put there
by ssl/s3_srvr.c (line 2990, version 1.0.0e) and printed out by SSLeay.

Can you confirm this? If that's the case, I'd like to know, how this
warning is produced. AFAICS my custom verification callback breaks
the verification chain, because of

  ssl_verify_cert_chain(s,sk) = 0

I still don't quite understand the meaning of the warning message. Can/
should I just live with it or does it indicate a bug (in either OpenSSL,
Net::SSLeay or AnyEvent::TLS)?


signature.asc
Description: PGP signature

Re: ssl3_get_client_certificate: no certificate returned

2011-11-16 Thread Tobias Nissen 
Dr. Stephen Henson wrote:
 On Tue, Nov 15, 2011, Tobias Nissen wrote:
 Dr. Stephen Henson wrote:
 On Tue, Nov 15, 2011, Tobias Nissen wrote:
 I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
 through AnyEvent::TLS². AnyEvent::TLS provides the means to
 define a custom verification mechanism by setting verify_cb³.
 Here's an example (keys included):
 
   http://paste.scsys.co.uk/159837
 
 If the custom verification callback decides a peer is bad, it
 shall return 0 and return 1 otherwise. If 0 is returned, this
 warning is produced:
 
   ssl3_get_client_certificate: no certificate returned
[...]
 The warning isn't printed by OpenSSL it is an error code. So
 perhaps the wrapper is printing the error?
 
 I didn't find it in either of the wrapper modules, but I did in
 OpenSSL:
 
   tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned *
   doc/ssleay.txt:Error because no certificate returned.
   ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no
 certificate returned},
 
 Yes but that's a textual version of the error. OpenSSL does not print
 it out: an application call is needed to do that.

Ah OK. However, I checked with AnyEvent::TLS and Net::SSLeay, neither
of those seems to emit this error message. SSLeay, which is what
AnyEvent::TLS uses, imports a lot of OpenSSL macros, but not
SSL_R_NO_CERTIFICATE_RETURNED. My guess is, that the error is put there
by ssl/s3_srvr.c (line 2990, version 1.0.0e) and printed out by SSLeay.

Can you confirm this? If that's the case, I'd like to know, how this
warning is produced. AFAICS my custom verification callback breaks
the verification chain, because of

  ssl_verify_cert_chain(s,sk) = 0

I still don't quite understand the meaning of the warning message. Can
I just live with it or does it indicate a bug (in either OpenSSL,
Net::SSLeay or AnyEvent::TLS)?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ssl3_get_client_certificate: no certificate returned

2011-11-15 Thread Tobias Nissen 
Hi,

I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through
AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom
verification mechanism by setting verify_cb³. Here's an example (keys
included):

  http://paste.scsys.co.uk/159837

If the custom verification callback decides a peer is bad, it shall
return 0 and return 1 otherwise. If 0 is returned, this warning is
produced:

  ssl3_get_client_certificate: no certificate returned

It's only a warning which does not seem to impair functionality; no
warning is printed if 1 is returned.

I've already asked on the AnyEvent mailing list⁴, but the author of
AnyEvent::TLS couldn't really nail it down either. Can you help me?
Why is this warning printed and what could be done to eliminate the
problem?

TIA,
Tobias

¹ http://search.cpan.org/~mikem/Net-SSLeay-1.42/lib/Net/SSLeay.pm
² http://search.cpan.org/~mlehmann/AnyEvent-6.1/lib/AnyEvent/TLS.pm
  which I use through AnyEvent::MPRPC, but that shouldn't matter :-)
³ http://search.cpan.org/~mlehmann/AnyEvent-6.1/lib/AnyEvent/TLS.pm#verify_cb
⁴ http://lists.schmorp.de/pipermail/anyevent/2011q4/000203.html


signature.asc
Description: PGP signature

Re: ssl3_get_client_certificate: no certificate returned

2011-11-15 Thread Dr. Stephen Henson 
On Tue, Nov 15, 2011, Tobias Nissen wrote:

 Hi,
 
 I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through
 AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom
 verification mechanism by setting verify_cb³. Here's an example (keys
 included):
 
   http://paste.scsys.co.uk/159837
 
 If the custom verification callback decides a peer is bad, it shall
 return 0 and return 1 otherwise. If 0 is returned, this warning is
 produced:
 
   ssl3_get_client_certificate: no certificate returned
 
 It's only a warning which does not seem to impair functionality; no
 warning is printed if 1 is returned.
 
 I've already asked on the AnyEvent mailing list???, but the author of
 AnyEvent::TLS couldn't really nail it down either. Can you help me?
 Why is this warning printed and what could be done to eliminate the
 problem?
 

The warning isn't printed by OpenSSL it is an error code. So perhaps the
wrapper is printing the error?

I don't know about that wrapper but you should set a verify return code using
SSL_set_verify_result() and if you want it to fail if no certificate is
returned you should also include the flag SSL_VERIFY_FAIL_IF_NO_PEER_CERT

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ssl3_get_client_certificate: no certificate returned

2011-11-15 Thread Tobias Nissen 
Dr. Stephen Henson wrote:
 On Tue, Nov 15, 2011, Tobias Nissen wrote:
 I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
 through AnyEvent::TLS². AnyEvent::TLS provides the means to define
 a custom verification mechanism by setting verify_cb³. Here's an
 example (keys included):
 
   http://paste.scsys.co.uk/159837
 
 If the custom verification callback decides a peer is bad, it shall
 return 0 and return 1 otherwise. If 0 is returned, this warning is
 produced:
 
   ssl3_get_client_certificate: no certificate returned
 
 It's only a warning which does not seem to impair functionality; no
 warning is printed if 1 is returned.
 
 I've already asked on the AnyEvent mailing list???, but the author
 of AnyEvent::TLS couldn't really nail it down either. Can you help
 me? Why is this warning printed and what could be done to eliminate
 the problem?
 
 The warning isn't printed by OpenSSL it is an error code. So perhaps
 the wrapper is printing the error?

I didn't find it in either of the wrapper modules, but I did in OpenSSL:

  tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned *
  doc/ssleay.txt:Error because no certificate returned.
  ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no certificate 
returned},


signature.asc
Description: PGP signature

Re: ssl3_get_client_certificate: no certificate returned

2011-11-15 Thread Dr. Stephen Henson 
On Tue, Nov 15, 2011, Tobias Nissen wrote:

 Dr. Stephen Henson wrote:
  On Tue, Nov 15, 2011, Tobias Nissen wrote:
  I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
  through AnyEvent::TLS². AnyEvent::TLS provides the means to define
  a custom verification mechanism by setting verify_cb³. Here's an
  example (keys included):
  
http://paste.scsys.co.uk/159837
  
  If the custom verification callback decides a peer is bad, it shall
  return 0 and return 1 otherwise. If 0 is returned, this warning is
  produced:
  
ssl3_get_client_certificate: no certificate returned
  
  It's only a warning which does not seem to impair functionality; no
  warning is printed if 1 is returned.
  
  I've already asked on the AnyEvent mailing list???, but the author
  of AnyEvent::TLS couldn't really nail it down either. Can you help
  me? Why is this warning printed and what could be done to eliminate
  the problem?
  
  The warning isn't printed by OpenSSL it is an error code. So perhaps
  the wrapper is printing the error?
 
 I didn't find it in either of the wrapper modules, but I did in OpenSSL:
 
   tobi@hal:~/src/openssl-1.0.0e$ rgrep no certificate returned *
   doc/ssleay.txt:Error because no certificate returned.
   ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),no certificate 
 returned},

Yes but that's a textual version of the error. OpenSSL does not print it out:
an application call is needed to do that.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org