On Fri, 17 Mar 2000, Wade L. Scholine wrote:
> Subject: RE: demos/ssl/serv.cpp
>
> I don't know about SSL_CTX_set_default_verify_paths(). I think what you
> really need is SSL_CTX_load_verify_locations(). Also for completeness you
> have to have SSL_CTX_set_client_CA_list() though it will sort of work
> without the latter.
As I look at the code from the first two functions, which end up in
x509_d2.c in crypto/x509, they do the same thing. The
...default_verify_paths just do it with predefined paths whilst
..load_verify_locations do it with manually specified paths.
A question. Are we looking at solving the same question? I want the client
to provide me with a key.. I do not neccesarily want to compare the key
with a key stored in a directory or verify it against a CA stored
somewhere.
Robert Sandilands
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, March 17, 2000 2:36 AM
> > To: '[EMAIL PROTECTED]'
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: demos/ssl/serv.cpp
> >
> > On Thu, 16 Mar 2000, Lutz Jaenicke wrote:
> >
> > Thanks to everybody helping me. As I understand it the process is:
> >
> > In s_server.c s_server_verify is set to
> > SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE for the case I am
> > interested in.
> > Then it calls SSL_CTX_load_verify_locations(ctx,CAfile,CApath)
> > or SSL_CTX_set_default_verify_paths(ctx)
> > and SSL_CTX_set_verify(ctx,s_server_verify,verify_callback).
> >
> > I've added the following lines to serv.cpp:
> >
> > SSL_CTX_set_default_verify_paths(ctx);
> > SSL_CTX_set_verify( ctx,
> > SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, NULL );
> >
> > and the error it returns on failing is:
> >
> > Connection from 100007f, port f04
> > 4294401037:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> > certificate returned:d:\work\openssl\openss~1.5\ssl\s3_srvr.c:1677:
> >
> > I'm using openssl.exe with the command line "openssl s_client -connect
> > localhost:443 -key z:\robert.key -cert z:\robert.crt" to test
> > the server
> > program.
> >
> > If I use openssl.exe as server, everything seems to work. The
> > command line
> > I use is: "d:\work\openssl\bin>openssl.exe s_server -key z:\robert.key
> > -cert z:\robert.crt -accept 443 -verify 1".
> >
> > Attached is the file I'm playing with.. A modified version of
> > serv.cpp for
> > Borland C++ Builder 4.0.
> >
> > Any ideas would really be apreciated.
> >
> > Robert Sandilands
> >
> > > From: Lutz Jaenicke <[EMAIL PROTECTED]>
> > > Subject: Re: demos/ssl/serv.cpp
> > >
> > > On Thu, Mar 16, 2000 at 11:19:16AM +0200, [EMAIL PROTECTED] wrote:
> > > > On Wed, 15 Mar 2000, Wade L. Scholine wrote:
> > > > > From: Wade L. Scholine <[EMAIL PROTECTED]>
> > > > > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> > > > > Subject: RE: demos/ssl/serv.cpp
> > > >
> > > > client_cert = SSL_get_certificate( ssl );
> > > >
> > > > in serv.cpp always fails. I want to know how can I make
> > that one line
> > > > work?
> > >
> > > Again, Wade already gave you the necessary answer. The
> > client will only
> > > send the certificate to the server, _if_ explicitely asked to do so
> > > during handshake. The default is to not ask for a client
> > certificate.
> > > On the server you must change the behaviour with the
> > > SSL_[CTX_]set_verify() call and the options SSL_VERIFY_PEER
> > etc options.
> > > Please check apps/s_server.c as an example on how the call
> > is used and
> > > grep for s_server_verify to see the setting of the options.
> > >
> > > Only then you can later access the client certificate. Or
> > to say it the
> > > other way round, without setting the verify option, this
> > example should
> > > never have shown a client certificate to anybody.
> >
> >
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
