<div dir="ltr">On the client side, double check that you are creating the SSL object from the context AFTER you set the client cert for the context, and not the other way around.</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 10, 2016 at 2:18 PM, Karl Denninger <span dir="ltr"><<a href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I'm sure this is a function of my lack of understanding of the
documentation, but here it is...<br>
<br>
I have an application that implements SSL-encrypted transport
between two or more devices. For those that are clients without
certificates (e.g. someone connecting with a web browser) it is
working fine.<br>
<br>
However, I also want certain "things" to connect *with* a
certificate. Toward that end I have set up a separate context for
said connections, with (simplified a bit):<br>
<br>
master_method = (SSL_METHOD *)
SSLv23_server_method(); /* Create instance */<br>
master_context = SSL_CTX_new(master_method); /* Get
SSL context for later */<br>
<br>
Then I set up the CA that is going to verify the client certificates
that are presented, with:<br>
<br>
sprintf(tmp, "%s/ssl/ca.pem", CONFIG_DIR);<br>
if (!SSL_CTX_load_verify_locations(master_context,
tmp, NULL)) {<br>
syslog(LOG_ERR, "Cannot load verification;
MASTER will not validate");<br>
}<br>
<br>
and then load the server-side certificate and key, plus tell it to
verify the peer.<br>
<br>
sprintf(tmp, "%s/ssl/%s", CONFIG_DIR, cert);<br>
if (SSL_CTX_use_certificate_file(master_context,
tmp, SSL_FILETYPE_PEM) < 0) {<br>
syslog(LOG_WARNING, "Cannot load SSL
Certificate - SSL MASTER DISABLED");<br>
} else {<br>
sprintf(tmp, "%s/ssl/%s", CONFIG_DIR, pkey);<br>
if
(SSL_CTX_use_PrivateKey_file(master_context, tmp, SSL_FILETYPE_PEM)
< 0) {<br>
syslog(LOG_WARNING, "Cannot load SSL
Key - SSL MASTER DISABLED");<br>
} else {<br>
SSL_CTX_set_verify(master_context,
SSL_VERIFY_PEER, verify_callback);<br>
master_ssl_possible = 1; /* Enable
*/<br>
syslog(LOG_INFO, "SSL MASTER
capability initalized.");<br>
}<br>
}<br>
<br>
verify_callback just returns the preverify_ok flag back; I don't
care WHY the verification failed, just whether it did or not. In
other words looking at the "last reason" is good enough (which I can
get once the accept fails, if it does.)<br>
<br>
Now the client has a very similar set of code in it and when it
connects it gets the verification (with the callback set to NULL)
and, provided the certificate verifies against the CA file provided,
all is well and it works. The client's certificate and key are
loaded and the same basic code as up above is used to load the cert
and key without errors being thrown (except, of course, that I call
SSLv23_client_method() to get the method structure.) It also
connects *and* properly verifies the server's certificate.<br>
<br>
However, on the server side I never get a client certificate back
despite having loaded one into the context on the client and asking
for it with SSL_VERIFY_PEER on the server.<br>
<br>
If I INSIST on a client certificate by adding the
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, the connections always fail at
SSL_accept() with an error indicating that no client certificate was
provided.<br>
<br>
If not, however, the accept succeeds, the verification callback
routine is never called (!) and when I attempt to get the peer
certificate with SSL_get_peer_certificate() so I can walk through it
and check the returned attributes (I wish to use the subjectAltName
field among others) I get back a NULL.<br>
<br>
This has to be something stupid on my part, because I should get the
verify_callback in any event, I believe -- but I never do.<span class="HOEnZb"><font color="#888888"><br>
<br>
<div>-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</font></span></div>
<br>_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>