Re: OpenSSL client verification - repost from comp.unix.programmer
From: Jim Webster (jwebster@ilstechnology.com)Date: 05/22/02
- Next message: Barry Margolin: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: Nico Kadel-Garcia: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Jim Webster: "OpenSSL client verification - repost from comp.unix.programmer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jwebster@ilstechnology.com (Jim Webster) Date: 22 May 2002 07:16:25 -0700
Just a bit more info.
This doesn't even work with the supplied ssltest.c
I did this:
ssltest -bytes 20 -d -v -ssl3 -server_auth -c_cert ../apps/client.pem
-cert ../apps/server.pem
and get this:
server authentication
client waiting in SSL_connect - before/connect initialization
server waiting in SSL_accept - before/accept initialization
client waiting in SSL_connect - SSLv3 read server hello A
depth=0 error=20 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server
test cert (512 bit)
ERROR in CLIENT
16909:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:769:
1 handshakes of 20 bytes done
So deduce the supplied client.pem and server.pem are somehow
defective.
So use my own certs (ecrtr.pem).
Replacing with my certificate (ecrtr.pem) - same for server and
client.
This works:
ssltest -bytes 20 -d -v -ssl3 -server_auth -c_cert tmp/ecrtr.pem
-cert tmp/ecrtr.pem
Giving this output:
server authentication
client waiting in SSL_connect - before/connect initialization
server waiting in SSL_accept - before/accept initialization
client waiting in SSL_connect - SSLv3 read server hello A
depth=0 error=18 /C=US/ST=Florida/L=Boca Raton/O=ILS
Technology/OU=Development/CN=jww@ilstechnology.com
depth=0 /C=US/ST=Florida/L=Boca Raton/O=ILS
Technology/OU=Development/CN=jww@ilstechnology.com
server waiting in SSL_accept - SSLv3 read client certificate A
client waiting in SSL_connect - SSLv3 read finished A
client wrote 20
server read 20
server wrote 20
client read 20
DONE: SSLv3, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
1 handshakes of 20 bytes done
But this fails:
ssltest -bytes 20 -d -v -ssl3 -client_auth -c_cert tmp/ecrtr.pem
-cert tmp/ecrtr.pem
Giving this output:
client authentication
client waiting in SSL_connect - before/connect initialization
server waiting in SSL_accept - before/accept initialization
client waiting in SSL_connect - SSLv3 read server hello A
server waiting in SSL_accept - SSLv3 read client certificate A
depth=0 error=18 /C=US/ST=Florida/L=Boca Raton/O=ILS
Technology/OU=Development/CN=jww@ilstechnology.com
depth=0 error=26 /C=US/ST=Florida/L=Boca Raton/O=ILS
Technology/OU=Development/CN=jww@ilstechnology.com
ERROR in SERVER
16917:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned:s3_srvr.c:1793:
1 handshakes of 20 bytes done
jwebster@ilstechnology.com (Jim Webster) wrote in message news:<8ac0e387.0205210517.6c947320@posting.google.com>...
> On the chance that comp.unix.programmer was the incorrect group, I am
> reposting this question here.
>
>
> I'm trying to get client verification to work.
> I "borrowed" the certificates "client.pem" and "server.pem" from the
> openssl package (directory openssl/openssl-0.9.6c/apps).
>
> I've also tried other certificates as well as generating my own.
>
> I start stunnel: "stunnel -D debug -c -d 5901 -r jww:6901 -p
> client.pem"
> And I start my SSL application specifying server.pem as my
> certificate.
> In my app, I do the usual stuff ala the way stunnel did it:
> SSL_load_error_strings()
> SSL_library_init()
> SSL_CTX_use_certificate_chain_file()
> SSL_CTX_use_PrivateKey_file()
> SSL_CTX_check_private_key()
> SSL_CTX_set_default_verify_paths()
> SSL_CTX_set_verify()
> SSL_CTX_set_info_callback()
> SSL_CTX_set_cipher_list()
> etc, etc.
>
> I specify SSL_VERIFY_PEER in my "set_verify" call.
>
> Then in my app, get this:
> state=before/accept initialization
> state=SSLv3 read client hello A
> state=SSLv3 write server hello A
> state=SSLv3 write certificate A
> state=SSLv3 write certificate request A
> state=SSLv3 flush data
> VERIFY ERROR: depth=0, error=unable to get local issuer certificate:
> /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit)
> SSL alert (write): fatal: bad certificate
> SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
>
> And stunnel was started with this:
> stunnel -D debug -c -d 5901 -r jww:6901 -p client.pem
>
> and give these errors:
>
> jww.6901 connecting 192.168.1.109:6901
> Remote FD=468 initialized
> SSL state (connect): before/connect initialization
> SSL state (connect): SSLv3 write client hello A
> SSL state (connect): SSLv3 read server hello A
> SSL state (connect): SSLv3 read server certificate A
> SSL state (connect): SSLv3 read server certificate request A
> SSL state (connect): SSLv3 read server done A
> SSL state (connect): SSLv3 write client certificate A
> SSL state (connect): SSLv3 write client key exchange A
> SSL state (connect): SSLv3 write certificate verify A
> SSL state (connect): SSLv3 write change cipher spec A
> SSL state (connect): SSLv3 write finished A
> SSL state (connect): SSLv3 flush data
> SSL alert (read): fatal: bad certificate
> SSL_connect: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
> bad certificate
>
> I'm just starting to figure all this stuff out and am a bit baffled.
> Why can't I get my app (the server) to verify my client (stunnel)
> certificate?
> If I leave off the "-p client.pem" from stunnel, it works fine.
>
> Thanks,
- Next message: Barry Margolin: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: Nico Kadel-Garcia: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Jim Webster: "OpenSSL client verification - repost from comp.unix.programmer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
