Kyle Hamilton wrote:
Well, the "AND" isn't exactly what SSL_connect does as far as I remember. It is in fact the responsibility of the application to set the certificate that will be send, and there are at least three ways to do so, as far as I remember (and read the codeSSL_connect on the client will only send the client certificate if the server requests it and sends a list of authority names it will accept, AND the certificate is signed by one of those authority names.
in s3_clnt.c
- When an application has set the cert/key with SSL_use_certificat andSSL_use_Private_key, then this will be used independently of what the server
requires. It must at least require a certificate, though.- There is a call back that can select a ley/cert depending on the list received
from the server. - There is an error code generated by SSL_connect which can be tested by SSL_want_x509_lookup to select an set a cert (or not).Even if no cert is available the handshake continues, and may even succeed if
the server allows it. The answer to the first question below is "yes", as indicated. As far as I remember, in some java contexts, one needs to set two differentstores, one for the server, and one for the clients. For the client the store
(in whatever form, JKS for example), holds all the CA certs for which the server will accept and validate client certs.
SSL_ERROR_SSL is an error stating that an SSL session couldn't be established, either because of 'no common cipher', or 'SSL/TLS version mismatch', or something else that goes wrong in the initial handshake. See the relevant RFCs for more detail on what can go wrong. -Kyle H On 2/3/06, Ambarish Mitra <[EMAIL PROTECTED]> wrote:On SSL_connect, the openssl documentation mentions that: "initiate the TLS/SSL handshake with an TLS/SSL server" I have created the client cert and loaded into the context with "SSL_CTX_use_certificate_file" and the corresponding private key with "SSL_CTX_use_PrivateKey_file". This association works since the the call "SSL_CTX_check_private_key" succeeded. In SSL_connect, does the client program send out the client certificate to the server as a part of handshake? Now, my server is Java based, and I do not have much idea on JVM keystores. It looks like the keystore holds the CA cert and also the server cert. This CA is also the one who issued the client cert. I am getting an error "SSL_ERROR_SSL" with SSL_connect() returning <=0. Under what circumstances does SSL_connect return this error? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
