Client authentication - - Openssl

This is a discussion on Client authentication - - Openssl ; Hi, I'm writing client/server application. I'm using OpenSSL. The project is little wicked, because of fact, that I want to use client authentication WITHOUT server authentication. The problem is, that the client is not willing to send its certificate to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Client authentication -

  1. Client authentication -

    Hi,

    I'm writing client/server application. I'm using OpenSSL. The project
    is little wicked, because of fact, that I want to use client
    authentication WITHOUT server authentication. The problem is, that the
    client is not willing to send its certificate to server: the connection
    is established correctly, but 'SSL_get_peer_certificate' returns NULL,
    regardles of using
    SSL_CTX_set_verify
    (ctx,SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL);

    simplified client + server code is listed below (threading/error
    handling/cleanup and other garbage is stripped off):

    /*
    * Error handling & cleanup stripped
    */
    void init()
    {
    OpenSSL_add_all_algorithms();
    ERR_load_BIO_strings();
    SSL_load_error_strings();
    ERR_load_CRYPTO_strings();
    ERR_load_ERR_strings();
    ERR_load_SSL_strings();
    }

    void server()
    {
    init();
    SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
    SSL_CTX_set_verify
    (ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CE RT,NULL);
    //auto retry pls
    SSL_CTX_set_mode(ctx,SSL_MODE_AUTO_RETRY);

    //folder contains name-hashed client certificate
    SSL_CTX_load_verify_locations(ctx, NULL , "cert\\client");

    // or maybe this: (self signed certificate (the same as name-hashed)
    SSL_CTX_set_client_CA_list
    (ctx,SSL_load_client_CA_file("cert\\client\\bb.signed.pem"));

    /* load server certificate - but i am not using it! */
    SSL_CTX_use_certificate_chain_file
    (ctx,"cert\\server.signed.pem");
    SSL_CTX_use_PrivateKey_file
    (ctx,"cert\\server.key",SSL_FILETYPE_PEM);
    SSL_CTX_check_private_key(ctx);

    /* setup accept bio's*/
    BIO* sbio=BIO_new_ssl(ctx,0);
    char* cport="1313";
    //acept bio
    acpt=BIO_new_accept(cport);
    //add SSL bio
    BIO_set_accept_bios(sbio,acpt);

    //init listening
    BIO_do_accept(acpt);

    //start listening
    BIO_do_accept(acpt);

    //retrieve ssl from SSL bio
    SSL* ssl;
    long res;
    res=BIO_get_ssl(sbio,&ssl);
    // <--- NOTE: retrieving ssl from other (i.e connection) bios causes
    //res to become 0 and raises memory exception
    //in further processing of ssl...

    /* pop new bio from accept bio
    (normally i'm using multi-connection model) */
    BIO* cbio=BIO_pop(acpt);

    //BIO_do_handshake(cbio);//will indicate failure

    X509* cert=SSL_get_peer_certificate(ssl);//!!!! will return NULL
    (why?)
    long verify=SSL_get_verify_result(ssl);//will indicate success
    //ok?, no cert=no failure?
    //but i used SSL_VERIFY_FAIL_IF_NO_PEER_CERT!!!
    //ok my mistake...
    //it is relevant when using BIO_do_handshake

    //now the req/resp processing and free resources
    }

    void client()
    {
    init();
    SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());

    SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,NULL);
    /* i also tried theese instead:*/
    //SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_ FAIL_IF_NO_PEER_CERT,NULL);
    //SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);

    //auto retry pls
    SSL_CTX_set_mode(ctx,SSL_MODE_AUTO_RETRY);

    /* Load the trust store (NOTE: not using server auth!
    dont want it!)*/
    //SSL_CTX_load_verify_locations(ctx, NULL , "cert");

    /* client uses certificate and key */
    SSL_CTX_use_certificate_chain_file
    (ctx,"cert\\client\\client.signed.pem");
    SSL_CTX_use_PrivateKey_file
    (ctx,"cert\\client\\client.key",SSL_FILETYPE_PEM);
    SSL_CTX_check_private_key(ctx);

    /* spawn connect bio */
    BIO* bio = BIO_new_ssl_connect(ctx);

    /* server adress*/
    char* host="xxx";
    char* port="1313";
    BIO_set_conn_hostname(bio, host);
    BIO_set_conn_port(bio,port);

    /* connect */
    BIO_do_connect(bio);
    /* req/resp and free resources */
    }

    Cert generation (server&client procedure) -

    ] openssl genrsa -aes256 -out server.key 1024
    ] openssl req -new -key server.key -out server.pem
    ] cp server.key server.key.org
    ] openssl rsa -in server.key.org -out server.key
    ] openssl x509 -req -days 365 -in server.pem -signkey server.key -out
    server.signed.pem

    Irrelevant(?), but strange(??): windows-compiled OpenSSL crashes (the
    new version, not the one i'm using in project) - i had to use FreeBSD
    to do this.

    NOTE: Im using VS2005, openssl-0.9.7j (compiled on dev machine as
    static lib). Client is written in "Pure" C++ with STL "and stuff".
    Server (please dont laugh) is writen in Managed-C++ on .NET 2.0. I'm a
    little amateur here.

    Please help!

    Best regards,

    tytusse


  2. Re: Client authentication -

    So....
    I'm replying to my own post, not only to show the solution, but to
    proove how stupid human mistakes can be:
    > //add SSL bio
    > BIO_set_accept_bios(sbio,acpt);
    >

    BIO_set_accept_bios(acpt,sbio);

    Thats solved most of problems.... Silly me :/

    Ciao,

    tytusse


  3. Re: Client authentication -

    Hi,
    It is not related to your question. But i have one question. I have
    download Open SSL COM Wrapper from http://www.fuessl.de/. But in client
    application SSL_SEND is returning -1. Can you help me about the Same ?


    Regards,

    Milind M. Patil




    tytusse wrote:

    > So....
    > I'm replying to my own post, not only to show the solution, but to
    > proove how stupid human mistakes can be:
    > > //add SSL bio
    > > BIO_set_accept_bios(sbio,acpt);
    > >

    > BIO_set_accept_bios(acpt,sbio);
    >
    > Thats solved most of problems.... Silly me :/
    >
    > Ciao,
    >
    > tytusse



+ Reply to Thread