mutual-TLS / mTLS Example with certificate problem

Wed May 6 18:44:57 UTC 2020

Hello,

I can not find a working mutual-TLS server/client example on github or
the whole internet. Only some example for pieces of code. Communication
via socket without and with encryption (openSSL) is working, but with
mTLS not. I believe that I theoretical understand mTLS, but the practice
will not work.

The whole (small) project is here:
https://github.com/deckard-rick/mTLS-example

Server Side
=========

I initialize the SSL-context without errors with (sample, error handling
is not in this email)

    SSL_CTX_set_ecdh_auto(srvCtx->ctx, 1);
    SSL_CTX_set_verify(srvCtx->ctx, SSL_VERIFY_PEER or
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
    SSL_CTX_load_verify_locations(srvCtx->ctx,NULL,"../certs"); //????
    SSL_CTX_use_certificate_chain_file(srvCtx->ctx,
"../certs/server/ca.crt");
    SSL_CTX_use_certificate_file(srvCtx->ctx,
"../certs/server/server.crt", SSL_FILETYPE_PEM);
    SSL_CTX_use_PrivateKey_file(srvCtx->ctx,
"../certs/server/server.key", SSL_FILETYPE_PEM);
    SSL_CTX_check_private_key(srvCtx->ctx);

the certificates are:

ca.crt:  Version: 3 (0x2)
    Serial Number:
5a:fc:74:e6:28:28:0e:df:5b:7a:50:9e:a8:18:e6:04:42:f0:fd:8d
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA
     Validity  Not Before: May  6 09:21:23 2020 GMT  Not After : May  6
09:21:23 2022 GMT
     Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN
= 42CA

server.crt: Version: 1 (0x0)
    Serial Number:
5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:23
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA
    Validity  Not Before: May  6 09:30:23 2020 GMT   Not After : May  6
09:30:23 2021 GMT
    Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
debiandevdesktop01.sdctec.lokal

debiandevdesktop01.sdctec.lokal is the FQDN of the development server

Client Side
=========

    SSL_CTX_set_ecdh_auto(ctx, 1);
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
    SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt");
    SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt",
SSL_FILETYPE_PEM);
    SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key",
SSL_FILETYPE_PEM);

ca.crt:  (see server)

client.crt: Version: 1 (0x0)
   Serial Number: 
5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:24
   Signature Algorithm: sha256WithRSAEncryption
   Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA
   Validity  Not Before: May  6 09:35:51 2020 GMT   Not After : May  6
09:35:51 2021 GMT
   Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
CLIENT001

Error:
=====

If the client connects the server there are the following errors:

server:
139918902234240:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed:../ssl/statem/statem_clnt.c:1915:

client:
139918902234240:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed:../ssl/statem/statem_clnt.c:1915:

I think, there is a problem with the certificates. But where is the
problem and why?

The statement to create the certificates are in the project ./certs/read.me

Thanks for any help, I'm looking since days for a solution and I believe
it is only a small bug.

Best regards

  Andreas