Checking client certificate

Marius Cabas Tue, 01 Jul 2003 00:20:47 -0700

I'm trying to check the client certificate from the server side but it's not working 
well. Below is a piece of code from a server and a client application. Is something 
wrong with my code? because the SSL_accept function is failing with 
"SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate" error. I have 
generating the certificate using OpenSSL like this:
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem


// SSL server
int main(int argc, char* argv[])
{
  sockaddr_in   sa_serv;
  sa_serv.sin_family      = AF_INET;
  sa_serv.sin_addr.s_addr = INADDR_ANY;
  sa_serv.sin_port        = htons(9000);
  
  int  listen_sd = socket(AF_INET, SOCK_STREAM, 0);
  bind(listen_sd, (sockaddr*)&sa_serv, sizeof(sa_serv));
  listen(listen_sd, 5);
  
  sockaddr_in  sa_cli;
  size_t       client_len = sizeof(sa_cli);
  int  sd = accept(listen_sd, (sockaddr*)&sa_cli, (int*)&client_len);
  closesocket(listen_sd);

  SSLeay_add_ssl_algorithms();
  SSL_CTX*  ctx = SSL_CTX_new(SSLv3_server_method());
  if(!ctx)
    exit(1);

  if(SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0)
    exit(2);

  if(SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0)
    exit(3);

  if(!SSL_CTX_check_private_key(ctx))
    exit(4);

  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

  SSL*  ssl = SSL_new(ctx);
  SSL_set_fd(ssl, sd);
  SSL_accept(ssl);

  X509* client_cert = SSL_get_peer_certificate(ssl); // returns always NULL
  if(client_cert == NULL)
    fprintf(stderr, "No client certificate available\n");

  // reading and writing operations
  ...
}


// SSL client
int main(int argc, char* argv[])
{
  sockaddr_in sa;
  sa.sin_family      = AF_INET;
  sa.sin_addr.s_addr = inet_addr("127.0.0.1");
  sa.sin_port        = htons(9000);

  int  sd = socket(AF_INET, SOCK_STREAM, 0);     
  connect(sd, (sockaddr*)&sa, sizeof(sa));

  SSLeay_add_ssl_algorithms();
  SSL_CTX*  ctx = SSL_CTX_new(SSLv3_client_method());
 
  // Initialize PRNG
  RAND_screen();

  if(SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0)
    exit(1);

  SSL*  ssl = SSL_new (ctx);
  SSL_set_fd(ssl, sd);
  SSL_connect(ssl);
    
  // reading and writing operations
  ...
}



____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Checking client certificate

Reply via email to