OpenSSL client verification - repost from comp.unix.programmer
From: Jim Webster (jwebster@ilstechnology.com)Date: 05/21/02
- Next message: Dan Riley: "Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)"
- Previous message: Henri Karrenbeld: "Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jwebster@ilstechnology.com (Jim Webster) Date: 21 May 2002 06:17:48 -0700
On the chance that comp.unix.programmer was the incorrect group, I am
reposting this question here.
I'm trying to get client verification to work.
I "borrowed" the certificates "client.pem" and "server.pem" from the
openssl package (directory openssl/openssl-0.9.6c/apps).
I've also tried other certificates as well as generating my own.
I start stunnel: "stunnel -D debug -c -d 5901 -r jww:6901 -p
client.pem"
And I start my SSL application specifying server.pem as my
certificate.
In my app, I do the usual stuff ala the way stunnel did it:
SSL_load_error_strings()
SSL_library_init()
SSL_CTX_use_certificate_chain_file()
SSL_CTX_use_PrivateKey_file()
SSL_CTX_check_private_key()
SSL_CTX_set_default_verify_paths()
SSL_CTX_set_verify()
SSL_CTX_set_info_callback()
SSL_CTX_set_cipher_list()
etc, etc.
I specify SSL_VERIFY_PEER in my "set_verify" call.
Then in my app, get this:
state=before/accept initialization
state=SSLv3 read client hello A
state=SSLv3 write server hello A
state=SSLv3 write certificate A
state=SSLv3 write certificate request A
state=SSLv3 flush data
VERIFY ERROR: depth=0, error=unable to get local issuer certificate:
/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit)
SSL alert (write): fatal: bad certificate
SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
And stunnel was started with this:
stunnel -D debug -c -d 5901 -r jww:6901 -p client.pem
and give these errors:
jww.6901 connecting 192.168.1.109:6901
Remote FD=468 initialized
SSL state (connect): before/connect initialization
SSL state (connect): SSLv3 write client hello A
SSL state (connect): SSLv3 read server hello A
SSL state (connect): SSLv3 read server certificate A
SSL state (connect): SSLv3 read server certificate request A
SSL state (connect): SSLv3 read server done A
SSL state (connect): SSLv3 write client certificate A
SSL state (connect): SSLv3 write client key exchange A
SSL state (connect): SSLv3 write certificate verify A
SSL state (connect): SSLv3 write change cipher spec A
SSL state (connect): SSLv3 write finished A
SSL state (connect): SSLv3 flush data
SSL alert (read): fatal: bad certificate
SSL_connect: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
bad certificate
I'm just starting to figure all this stuff out and am a bit baffled.
Why can't I get my app (the server) to verify my client (stunnel)
certificate?
If I leave off the "-p client.pem" from stunnel, it works fine.
Thanks,
- Next message: Dan Riley: "Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)"
- Previous message: Henri Karrenbeld: "Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
