[openssl-users] Openssl backend for glib

Ignacio Casal ignacio.casal at nice-software.com
Tue Aug 25 09:53:48 UTC 2015


So I made a bit more research on this issue. The certificate seems to be
loaded and sent to the server.
But then the server fails to verify that certificate since it does not have
the ca-list that was loaded for the client.
The error that I get server side is
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
Any idea how to deal with this issue?

Should I try to skip this kind of verification server side?

Regards

On Mon, Aug 24, 2015 at 2:41 PM, Ignacio Casal <
ignacio.casal at nice-software.com> wrote:

> Hey guys,
>
> I am currently working on an openssl backend for glib and I got to a point
> where I am blocked and maybe you can help me understand what I am doing
> wrong.
>
> First of all the source code can be found here:
> https://github.com/nice-software/glib-networking/tree/wip/openssl
>
> The problem is the next, on one of our unit tests we require a specific
> authentication, meaning that I endup calling SSL_set_verify, as you can see
> here:
> https://github.com/nice-software/glib-networking/blob/wip/openssl/tls/openssl/gtlsserverconnection-openssl.c#L127
>
> This should make the server require the client to send the certificate but
> for some reason this certificate is never sent and I endup having an error
> when handshaking.
>
> I was reading that I can just simply set the certificate callback as I do
> here:
> https://github.com/nice-software/glib-networking/blob/wip/openssl/tls/openssl/gtlsclientconnection-openssl.c#L437
>
> This callback gets called and I set the certificate but adding some
> debugging on openssl's code I see I keep getting that the server does not
> get the certificate.
>
> Here is a extract of the printfs I added to the openssl code. Any ideas?
>
> server, accept
> server, get client hello: 1
> server, send server hello: 1
> server, send server cert: 1
> server, send cert request: 1
> connect1
> get server hello: 1
> get key exchange: 1
> get cert request: 1
> get server done: 1
> do client cert cb: 1
> do client cert cb2: 1
> do client cert cb4: 1
> do client cert cb do write
> send client cert: 1
> send client key exchange: 1
> send client verify: 1
> change cipher spec: 1
> send finished: 1
> server, check client hello: 1
> server, get client cert: -1
> server, accept2: -1
> finish not ok
> get finsihed: 0
> connect2: 0
>
>
> Cheers.
>
>
> --
> Ignacio Casal Quinteiro
>



-- 
Ignacio Casal Quinteiro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150825/4714928c/attachment.html>


More information about the openssl-users mailing list