Hi, I am writing a simple communication library that uses openssl. It uses bidirectional authentication and RSA key exchange. As part of the library's connect / accept primitives, the server requests the peer certificate of the client using the call SSL_get_peer_certificate(ssl) (right after SSL_connect / SSL_accept). The client does the same.
Both client and server use the call SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback) as part of initialization, though I've also tested the library using a variant where only the server invoked this call (though it should not matter - and it does appear to make no difference indeed). I use the callback to avoid handshake termination when the peer certificate cannot be checked against a root-ca from the verify_locations list (I let verify_callback return 1 in that case); I handle this case explicitly later in the program (after obtaining the peer's certificate and ca list). The program works fine when compiled on Solaris using the 0.9.6 verion of the library and on linux using 0.9.7b. However, a problem occurs when compiling the same code under irix (I use gcc on all platforms). I've tested compiling against the (.a variant of) the 0.9.6i and 0.9.7c version of openSSL on Irix, and tried to interoperate with the linux, solaris and the irix version. The problem seems to be with the client code on Irix, as there SSL_connect returns -1, and SSL_get_error the following: error:00000001:lib(0):func(0):reason(1). In this case, the server (independent of the platfrom on which it runs) cannot obtain the peer certificate of the client. Both server and client do not get a callback during the handshake; they do under solaris when the program works 'correctly' (here SSL_connect succeeds). It is not clear to me what happens.. can anyone shed some light on this? Thanks, best regards, Guido. PS As an aside, Steve and Peter, thanks still for the help on the SHA-1 issue before. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
