Eric Rescorla wrote:
>
> "Paul L. Allen" <[EMAIL PROTECTED]> writes:
> > Eric Rescorla wrote:
> > Hmmm... When I watch a demo client and server with client
> > authentication,
> > I see the client's cert going over the wire. I wonder why I don't see
> > it in the case of my real code? Would mis-matching the BIO on the
> > server side explain this as well?
> No, I'm afraid not.
I was afraid of that. More bugs in my code, no doubt. :-)
I've discovered what was causing my server to malfunction. When I
adapted your sample code to fit into my project, I changed it a bit
based on my reading of the BIO_* man pages. (One should never meddle
in the affairs of wizards!) Here is what my non-working code looked
like, with irrelevant stuff like error checking removed:
BIO *io;
SSL *ssl;
int sock,s;
BIO *sbio;
BIO *bbio;
SSL_CTX *ctx;
int r;
ctx=initialize_ctx(KEYFILE,PASSWORD);
load_dh_params(ctx,DHFILE);
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, 0);
sock=tcp_listen();
s=accept(sock,0,0);
sbio=BIO_new_socket(s,BIO_NOCLOSE);
bbio=BIO_new(BIO_f_buffer());
BIO_push (bbio, sbio);
ssl=SSL_new(ctx);
SSL_set_bio(ssl,sbio,sbio);
r=SSL_accept(ssl);
...
BIO_gets(bbio,...);
The socket BIO is pushed onto the buffered BIO, and then the SSL is
associated with the socket BIO. Should work fine, I'm thinking.
(Yeah, right! Read the man pages one more time, Paul!)
Here's the code that's now working after making it look very much
like your sample code:
BIO *io;
SSL *ssl;
int sock,s;
BIO *sbio;
BIO *ssl_bio;
SSL_CTX *ctx;
int r;
ctx=initialize_ctx(KEYFILE,PASSWORD);
load_dh_params(ctx,DHFILE);
s=accept(sock,0,0);
sbio=BIO_new_socket(s,BIO_NOCLOSE);
ssl=SSL_new(ctx);
SSL_set_bio(ssl,sbio,sbio);
io = BIO_new(BIO_f_buffer());
ssl_bio = BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
BIO_push (io, ssl_bio);
r=SSL_accept(ssl);
BIO_gets(io,...);
So, I'm doing my I/O on the buffered BIO, which has an SSL BIO pushed
on behind it. The SSL BIO has had its internal SSL pointer set to
my SSL structure. Meanwhile, a socket BIO associated with the
underlying
TCP socket has been connected for both reading and writing to my SSL
structure, but it is not pushed onto the chain of BIO's.
Eric, I guess I just need to get the technical library to buy me a
copy of your book and all will become clear. :-)
The JSSE client-side authentication stuff is still not working. As
you say, it's hard to debug something that's mostly opaque. We'll
investigate PureTLS as an alternative to JSSE.
Thanks!
Paul Allen
--
Boeing Phantom Works \ Paul L. Allen, (425) 865-3297
Math & Computing Technology \ [EMAIL PROTECTED]
POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
