[openssl-users] Problems on authentication during TLS handshake
Jin Xie
xj546641978 at gmail.com
Tue Jan 8 08:38:32 UTC 2019
Hi Viktor,
Thanks for your replay! Sorry for my wrong format and I would use plaint-text in the future.
As for “in which case it will use the public key as a stand-in for the missing private key”, do you mean use “client cert public key” instead of “client cert private key”? If so is it possible that I pass “client cert public key” in “SSL_CTX_use_PrivateKey_file”? (I’m running on 1.1 :(((( )
Thanks,
Jim
From: Viktor Dukhovni
Sent: Tuesday, January 8, 2019 12:05 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Problems on authentication during TLS handshake
On Mon, Jan 07, 2019 at 11:43:47PM -0800, Jin Xie wrote:
[ Going forward, please try to post plain-text with regular spaces,
rather than Unicode non-breaking spaces. ]
> // load client-side cert and key, signed by intermediate cert
> SSL_CTX_use_certificate_file(m_ctx, ClientCertificateFileTest, SSL_FILETYPE_PEM);
>
> // no need anymore because no way to extract private key
> // SSL_CTX_use_PrivateKey_file(m_ctx, ClientPrivateKeyFileTest, SSL_FILETYPE_PEM);
Your problem is here, you can't skip loading some form of private
key handle. OpenSSL 1.1.1 provides an SSL_CTX_use_cert_and_key()
function, which allows the private key to passed as NULL, in which
case it will use the public key as a stand-in for the missing private
key. All the relevant functions are in ssl/ssl_rsa.c, if you are
willing to read the source code to find the most suitable interface.
If you're using 1.1.0 or 1.0.2 there is probably another way, but
I don't know it off-hand.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190108/f6e9fbdd/attachment.html>
More information about the openssl-users
mailing list