Hi Carlos,
----- Original Message -----
From: "Carlos Serrão" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, 14 March, 2001 20:57
Subject: Two-way authentication
> Hi all,
> can someone provide please a working example of a two-way authetication
> program using OpenSSL ?
Sorry, I can't provide you with a 'working example' straight away.
Nevertheless, here're a few leads how to get it done.
Note: I assume that you mean you want both these actions when an SSL
connection is being established:
- server verifies client, using a certificate passed by the client to the
server
- client verifies server, using a certificate passed by the server to the
client
you may wish to check out the 'verify_callback()' function in apps/s_cb.c
and roll your own version of that one (as the current one is very forgiving
;-) )
The basic verify_callback() shown in the OpenSSL distrib. does a few things
based on verify_depth. I tweaked that code for my own use so I can have the
OpenSSL standard functionality, next to 'anal retentive mode' (using
negative verify_depth values) forcing both apps/s_client and apps/s_server
to reject ANY connection which does not not provide a certificate chain of
the exact 'depth' I desire. This way, I can easily differentiate between
self-signed and CA-signed certs. I can also check if incoming certs are
signed by the CA in my -CApath, and if they aren't, kick them off the line
:-)
If you want to check specific contents of certificates passed for
verification by either client or server, you can add additional code there
to look for and check those elements. I didn't do that (yet), however.
To force both client and server to use a certificate, invoke
s_client -cert myccert.pem -verify 1
and
s_server -cert myscert.pem -Verify 1
(Note the capital 'V' in the s_server -Verify parameter: it means: server
wants *mandatory* client cert upon connection. s_client -verify does the
same for the client: mandatory server cert.)
I included my s_cb.c tweaked sourcecode (based on OpenSSL-0.9.6). Do with it
whatever you like (look for the '[i_a]' comments to find the spots I messed
around with.) You don't need to change s_server.c or s_client.c themselves
as they already, ahem, support decoding negative verify_depth values.
Try
s_client -cert myccert.pem -verify -1
and
s_server -cert myscert.pem -Verify -1
with self-signed certs for both client and server: they should be accepted.
Use other (CA-signed) certs for either client or server and the connection
will fail.
s_server -cert myscert.pem -Cafile mycacert.pem -Verify -2
will accept only client certs, signed by the CA, identified by your
mycacert.pem certificate, assuming mycacert.pem is a self-signed (root) CA
certificate.
Hope this helps...
Groetjes/Greetinx,
Ger
----------------------------------------------------------------------------
--
Ger Hobbelt a.k.a. Insh_Allah mailto:[EMAIL PROTECTED]
----------------------------------------------------------------------------
--
Peter Pan can fly when he thinks his Happy Thought.
I want to fly too.
My Happy Thought is... one part Prozac and one part LSD...
Wow! Awesome, dude!
s_cb.zip
