Re: Client Authentication!!! - help

Thu, 06 Jul 2000 08:11:41 -0700

Hi,

I don't understand your verify callback, I have used it and when my program worked, with your verify_callback not. Can you explain to me how works or why you use it?

thanks
 

Shrikrishna Karandikar wrote:

Hi,

  I have been following the email exchanges regarding client certificate
verification by the server. I put together an SSL server from the sample
code and the discussions. But I could not get it to authenticate the client.
So I am pasting my server code below. Could someone please point out the
problems with my code? Thanks,

The source code follows:

/* serv.cpp  -  Minimal ssleay server for Unix
   30.9.1996, Sampo Kellomaki <[EMAIL PROTECTED]> */

/* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b
   Simplified to be even more minimal
   12/98 - 4/99 Wade Scholine <[EMAIL PROTECTED]> */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#include <openssl/rsa.h>       /* SSLeay stuff */
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>

/* define HOME to be dir for key and cert files... */
#define HOME "./"
/* Make these what you want for cert & key files */
#define CERTF  HOME "foo-cert.pem"
#define KEYF  HOME  "foo-cert.pem"

#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2);
}

int verify_callback(int ok,  X509_STORE_CTX *ctx)
{

        char buf[256];
        X509 *err_cert;
        int err,depth;

        err_cert=X509_STORE_CTX_get_current_cert(ctx);
        err=    X509_STORE_CTX_get_error(ctx);
        depth=  X509_STORE_CTX_get_error_depth(ctx);

        return ok;

}

void main (int argc, char **argv)
{
  int err;
  long verify_error;
  int listen_sd;
  int sd;
  struct sockaddr_in sa_serv;
  struct sockaddr_in sa_cli;
  size_t client_len;
  SSL_CTX* ctx;
  SSL*     ssl;
  X509*    client_cert;
  char*    str;
  char     buf [4096];
  SSL_METHOD *meth;

  /* SSL preliminaries. We keep the certificate and key with the context. */

  SSL_load_error_strings();
  SSLeay_add_ssl_algorithms();
  meth = SSLv23_server_method();
  ctx = SSL_CTX_new (meth);
  if (!ctx) {
    ERR_print_errors_fp(stderr);
    exit(2);
  }

  if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
    ERR_print_errors_fp(stderr);
    exit(3);
  }
  if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
    ERR_print_errors_fp(stderr);
    exit(4);
  }

  if (!SSL_CTX_check_private_key(ctx)) {
    fprintf(stderr,"Private key does not match the certificate public
key\n");
    exit(5);
  }

 if (!SSL_CTX_load_verify_locations(ctx, CERTF, HOME)){
        fprintf(stderr,"X509_load_verify_locations\n");
        exit(6);
 }
 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CERTF));
 SSL_CTX_set_verify(ctx,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,verify_callback);

  /* ----------------------------------------------- */
  /* Prepare TCP socket for receiving connections */

  listen_sd = socket (AF_INET, SOCK_STREAM, 0);   CHK_ERR(listen_sd,
"socket");

  memset (&sa_serv, '\0', sizeof(sa_serv));
  sa_serv.sin_family      = AF_INET;
  sa_serv.sin_addr.s_addr = INADDR_ANY;
  sa_serv.sin_port        = htons (atoi(argv[1]));
/* Server Port number */

  err = bind(listen_sd, (struct sockaddr*) &sa_serv,
             sizeof (sa_serv));                   CHK_ERR(err, "bind");

  /* Receive a TCP connection. */

  err = listen (listen_sd, 5);                    CHK_ERR(err, "listen");

  client_len = sizeof(sa_cli);
  sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len);
  CHK_ERR(sd, "accept");
  close (listen_sd);

  printf ("Connection from %lx, port %x\n",
          sa_cli.sin_addr.s_addr, sa_cli.sin_port);

  /* ----------------------------------------------- */
  /* TCP connection is ready. Do server side SSL. */

  ssl = SSL_new (ctx);                           CHK_NULL(ssl);
  SSL_set_fd (ssl, sd);
  err = SSL_accept (ssl);                        CHK_SSL(err);

  /* Get the cipher - opt */

  printf ("SSL connection using %s\n", SSL_get_cipher (ssl));

  /* Get client's certificate (note: beware of dynamic allocation) - opt */

  client_cert = SSL_get_peer_certificate (ssl);
  /* DATA EXCHANGE - Receive message and send reply. */

  err = SSL_read (ssl, buf, sizeof(buf) - 1);
CHK_SSL(err);
  buf[err] = '\0';
  printf ("Got %d chars:'%s'\n", err, buf);

  err = SSL_write (ssl, "I hear you.", strlen("I hear you."));
CHK_SSL(err);

  /* Clean up. */

  close (sd);
  SSL_free (ssl);
  SSL_CTX_free (ctx);
}
/* EOF - serv.cpp */

The error I get on the client side is:

16234:error:1406C0C8:SSL routines:GET_SERVER_FINISHED:peer
error:s2_clnt.c:856:
 

Shri Karandikar,
Entera, Inc.
40971, Encyclopedia Circle,
Fremont,CA-94538.
Direct: 518.580.3707
Fax:  510.249.9180
www.entera.com

Shaping the future of content delivery.
______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

-- 
Albert SERRA 
===========================================
Integrated Systems Laboratory (DE/LSI-EPFL)
email: [EMAIL PROTECTED]
  
begin:vcard 
n:Serra Pages;Albert
x-mozilla-html:FALSE
version:2.1
email;internet:[EMAIL PROTECTED]
adr;quoted-printable:;;Residence Marcolet =0D=0APre-Fontaine 12 Ch. 23;1023 Crissier; ;;Switzerland
x-mozilla-cpt:;0
fn:Albert Serra Pages
end:vcard

Reply via email to