RE: Server certificates

Colin Fox Wed, 11 Apr 2001 17:42:37 -0700
On 12 Apr 2001 08:00:05 +1000, Michael Czapski wrote:
> Hello Colin,
> You need to tell the server to ask for one, for example:
> 
>     if (giRequirePeerCert) {
>       SSL_CTX_set_verify
>               (*sslCtx
>               ,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
>               ,verify_callback);
>     } else {
>       SSL_CTX_set_verify
>               (*sslCtx
>               ,SSL_VERIFY_NONE
>               ,verify_callback);
>     }
> Cheers
> 

Thanks! This was just what we needed. One point to mention: This must be
done BEFORE calling  SSL_new(), as in:

SSL_CTX_set_verify(ctx ,SSL_VERIFY_PEER
|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);

ssl = SSL_new( ctx );

I'm guessing that the context is only looked at once before constructing
the ssl object, and then not referenced again.

So it works now. Thanks to all who replied, especially Michael. This was
driving me crazy. :)

> --
> Michael Czapski
> Senior Consultant
> SeeBeyond Pty. Ltd.
> +61 2 9409-5403
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Colin Fox
> Sent: Thursday, April 12, 2001 6:08 AM
> To: [EMAIL PROTECTED]
> Subject: Server certificates
> 
> Greetings. We're trying to get client/server authentication working via
> certificates.
> 
> We've followed the example code (such as it is), and found that the
> client can get the server's cert, but the server thinks that there's no
> client cert. We really need that client cert.
> 
> The call in question is:
> SSL_get_peer_certificate(ssl)
> 
> I can post a larger code sample if necessary, but my question is: Is
> this the right call for client authentication, or does it only work for
> server authentication?
> 
> Thanks.
> 
> 
> --
> Colin Fox
> I speak for myself.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 

-- 
Colin Fox                             [EMAIL PROTECTED]
I speak for myself.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Server certificates

Reply via email to
