<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi Viktor,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks for your replay! Sorry for my wrong format and I would use plaint-text in the future. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As for “in which case it will use the public key as a stand-in for the missing private key”, do you mean use “client cert public key” instead of “client cert private key”? If so is it possible that I pass “client cert public key” in “SSL_CTX_use_PrivateKey_file”? (I’m running on 1.1 :(((( )</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jim</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:openssl-users@dukhovni.org">Viktor Dukhovni</a><br><b>Sent: </b>Tuesday, January 8, 2019 12:05 AM<br><b>To: </b><a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br><b>Subject: </b>Re: [openssl-users] Problems on authentication during TLS handshake</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On Mon, Jan 07, 2019 at 11:43:47PM -0800, Jin Xie wrote:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[ Going forward, please try to post plain-text with regular spaces,</p><p class=MsoNormal> rather than Unicode non-breaking spaces. ]</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> // load client-side cert and key, signed by intermediate cert</p><p class=MsoNormal>> SSL_CTX_use_certificate_file(m_ctx, ClientCertificateFileTest, SSL_FILETYPE_PEM);</p><p class=MsoNormal>> </p><p class=MsoNormal>> // no need anymore because no way to extract private key</p><p class=MsoNormal>> // SSL_CTX_use_PrivateKey_file(m_ctx, ClientPrivateKeyFileTest, SSL_FILETYPE_PEM);</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Your problem is here, you can't skip loading some form of private</p><p class=MsoNormal>key handle. OpenSSL 1.1.1 provides an SSL_CTX_use_cert_and_key()</p><p class=MsoNormal>function, which allows the private key to passed as NULL, in which</p><p class=MsoNormal>case it will use the public key as a stand-in for the missing private</p><p class=MsoNormal>key. All the relevant functions are in ssl/ssl_rsa.c, if you are</p><p class=MsoNormal>willing to read the source code to find the most suitable interface.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If you're using 1.1.0 or 1.0.2 there is probably another way, but</p><p class=MsoNormal>I don't know it off-hand.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-- </p><p class=MsoNormal> Viktor.</p><p class=MsoNormal>-- </p><p class=MsoNormal>openssl-users mailing list</p><p class=MsoNormal>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>