<div dir="ltr">It's always good to start with the s_client and s_server programs for incrementally verifying compatibility in your new programs. Those would have failed on your certificates, alerting you it's not a program problem.</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 10, 2016 at 6:20 PM, Karl Denninger <span dir="ltr"><<a href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I found the problem... for an unexplained reason either the
certificate or key were corrupt; I have added checking to make sure
they're coherent, as apparently OpenSSL is perfectly happy to load a
bogus cert (or key) without throwing an error, but won't present
them.<div><div class="h5"><br>
<br>
On 1/10/2016 17:07, Judson Wilson wrote:<br>
<blockquote type="cite">
<div dir="ltr">On the client side, double check that you are
creating the SSL object from the context AFTER you set the
client cert for the context, and not the other way around.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Jan 10, 2016 at 2:18 PM, Karl
Denninger <span dir="ltr"><<a href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> I'm sure this is a
function of my lack of understanding of the documentation,
but here it is...<br>
<br>
I have an application that implements SSL-encrypted
transport between two or more devices. For those that are
clients without certificates (e.g. someone connecting with
a web browser) it is working fine.<br>
<br>
However, I also want certain "things" to connect *with* a
certificate. Toward that end I have set up a separate
context for said connections, with (simplified a bit):<br>
<br>
master_method = (SSL_METHOD *)
SSLv23_server_method(); /* Create instance */<br>
master_context =
SSL_CTX_new(master_method); /* Get SSL context for later
*/<br>
<br>
Then I set up the CA that is going to verify the client
certificates that are presented, with:<br>
<br>
sprintf(tmp, "%s/ssl/ca.pem", CONFIG_DIR);<br>
if
(!SSL_CTX_load_verify_locations(master_context, tmp,
NULL)) {<br>
syslog(LOG_ERR, "Cannot load
verification; MASTER will not validate");<br>
}<br>
<br>
and then load the server-side certificate and key, plus
tell it to verify the peer.<br>
<br>
sprintf(tmp, "%s/ssl/%s", CONFIG_DIR,
cert);<br>
if
(SSL_CTX_use_certificate_file(master_context, tmp,
SSL_FILETYPE_PEM) < 0) {<br>
syslog(LOG_WARNING, "Cannot load
SSL Certificate - SSL MASTER DISABLED");<br>
} else {<br>
sprintf(tmp, "%s/ssl/%s",
CONFIG_DIR, pkey);<br>
if
(SSL_CTX_use_PrivateKey_file(master_context, tmp,
SSL_FILETYPE_PEM) < 0) {<br>
syslog(LOG_WARNING,
"Cannot load SSL Key - SSL MASTER DISABLED");<br>
} else {<br>
SSL_CTX_set_verify(master_context, SSL_VERIFY_PEER,
verify_callback);<br>
master_ssl_possible = 1;
/* Enable */<br>
syslog(LOG_INFO, "SSL
MASTER capability initalized.");<br>
}<br>
}<br>
<br>
verify_callback just returns the preverify_ok flag back; I
don't care WHY the verification failed, just whether it
did or not. In other words looking at the "last reason"
is good enough (which I can get once the accept fails, if
it does.)<br>
<br>
Now the client has a very similar set of code in it and
when it connects it gets the verification (with the
callback set to NULL) and, provided the certificate
verifies against the CA file provided, all is well and it
works. The client's certificate and key are loaded and
the same basic code as up above is used to load the cert
and key without errors being thrown (except, of course,
that I call SSLv23_client_method() to get the method
structure.) It also connects *and* properly verifies the
server's certificate.<br>
<br>
However, on the server side I never get a client
certificate back despite having loaded one into the
context on the client and asking for it with
SSL_VERIFY_PEER on the server.<br>
<br>
If I INSIST on a client certificate by adding the
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, the connections always
fail at SSL_accept() with an error indicating that no
client certificate was provided.<br>
<br>
If not, however, the accept succeeds, the verification
callback routine is never called (!) and when I attempt to
get the peer certificate with SSL_get_peer_certificate()
so I can walk through it and check the returned attributes
(I wish to use the subjectAltName field among others) I
get back a NULL.<br>
<br>
This has to be something stupid on my part, because I
should get the verify_callback in any event, I believe --
but I never do.<span><font color="#888888"><br>
<br>
<div>-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email
preferred]</i></font> </div>
</font></span></div>
<br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
openssl-users mailing list
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a>
</pre>
</blockquote>
<br>
<div>-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</div></div></div>
<br>_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>