I'm not sure what you mean by "... verify it against a CA stored somewhere."
Why would you ask for the client cert if you didn't want to verify the
signature?
Anyway, SSL_CTX_set_verify() is going to cause the server to send a
CertificateRequest message during the handshake, and
SSL_CTX_set_client_CA_list() tells the server how to fill out the
certificate_authorities member of the CertificateRequest. The handshake can
still work, sort of, without the CA list, depending on the client. You risk
having the client send a cert that the server can't verify.
SSL_CTX_load_verify_locations() or its equivalent is to tell the local end
where to find the CA certs it will use to verify the cert from the peer.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, March 19, 2000 11:21 AM
> To: Wade L. Scholine
> Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
> Subject: RE: demos/ssl/serv.cpp
>
>
>
>
> On Fri, 17 Mar 2000, Wade L. Scholine wrote:
>
> > Subject: RE: demos/ssl/serv.cpp
> >
> > I don't know about SSL_CTX_set_default_verify_paths(). I
> think what you
> > really need is SSL_CTX_load_verify_locations(). Also for
> completeness you
> > have to have SSL_CTX_set_client_CA_list() though it will
> sort of work
> > without the latter.
>
> As I look at the code from the first two functions, which end up in
> x509_d2.c in crypto/x509, they do the same thing. The
> ...default_verify_paths just do it with predefined paths whilst
> ..load_verify_locations do it with manually specified paths.
>
> A question. Are we looking at solving the same question? I
> want the client
> to provide me with a key.. I do not neccesarily want to
> compare the key
> with a key stored in a directory or verify it against a CA stored
> somewhere.
>
> Robert Sandilands
>
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, March 17, 2000 2:36 AM
> > > To: '[EMAIL PROTECTED]'
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: demos/ssl/serv.cpp
> > >
> > > On Thu, 16 Mar 2000, Lutz Jaenicke wrote:
> > >
> > > Thanks to everybody helping me. As I understand it the process is:
> > >
> > > In s_server.c s_server_verify is set to
> > > SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE for the case I am
> > > interested in.
> > > Then it calls SSL_CTX_load_verify_locations(ctx,CAfile,CApath)
> > > or SSL_CTX_set_default_verify_paths(ctx)
> > > and SSL_CTX_set_verify(ctx,s_server_verify,verify_callback).
> > >
> > > I've added the following lines to serv.cpp:
> > >
> > > SSL_CTX_set_default_verify_paths(ctx);
> > > SSL_CTX_set_verify( ctx,
> > > SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, NULL );
> > >
> > > and the error it returns on failing is:
> > >
> > > Connection from 100007f, port f04
> > > 4294401037:error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no
> > > certificate
> returned:d:\work\openssl\openss~1.5\ssl\s3_srvr.c:1677:
> > >
> > > I'm using openssl.exe with the command line "openssl
> s_client -connect
> > > localhost:443 -key z:\robert.key -cert z:\robert.crt" to test
> > > the server
> > > program.
> > >
> > > If I use openssl.exe as server, everything seems to work. The
> > > command line
> > > I use is: "d:\work\openssl\bin>openssl.exe s_server -key
> z:\robert.key
> > > -cert z:\robert.crt -accept 443 -verify 1".
> > >
> > > Attached is the file I'm playing with.. A modified version of
> > > serv.cpp for
> > > Borland C++ Builder 4.0.
> > >
> > > Any ideas would really be apreciated.
> > >
> > > Robert Sandilands
> > >
> > > > From: Lutz Jaenicke <[EMAIL PROTECTED]>
> > > > Subject: Re: demos/ssl/serv.cpp
> > > >
> > > > On Thu, Mar 16, 2000 at 11:19:16AM +0200,
> [EMAIL PROTECTED] wrote:
> > > > > On Wed, 15 Mar 2000, Wade L. Scholine wrote:
> > > > > > From: Wade L. Scholine <[EMAIL PROTECTED]>
> > > > > > To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> > > > > > Subject: RE: demos/ssl/serv.cpp
> > > > >
> > > > > client_cert = SSL_get_certificate( ssl );
> > > > >
> > > > > in serv.cpp always fails. I want to know how can I make
> > > that one line
> > > > > work?
> > > >
> > > > Again, Wade already gave you the necessary answer. The
> > > client will only
> > > > send the certificate to the server, _if_ explicitely
> asked to do so
> > > > during handshake. The default is to not ask for a client
> > > certificate.
> > > > On the server you must change the behaviour with the
> > > > SSL_[CTX_]set_verify() call and the options SSL_VERIFY_PEER
> > > etc options.
> > > > Please check apps/s_server.c as an example on how the call
> > > is used and
> > > > grep for s_server_verify to see the setting of the options.
> > > >
> > > > Only then you can later access the client certificate. Or
> > > to say it the
> > > > other way round, without setting the verify option, this
> > > example should
> > > > never have shown a client certificate to anybody.
> > >
> > >
> >
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
