In order for a certificate to have any meaning, it must include a public key (of whatever type), and the private key should be kept private for that side.
Thus, you've created three keypairs: one for the CA, one for the server, one for the client. The CA's certificate is self-signed, and you've given that certificate to both the server and the client. The server's certificate is signed by the CA, and you've given it to the server. The client's certificate is signed by the CA, and you've given it to the client. Okay. Now, I understand what you're trying to do -- you're trying to use SOAP in place of DCOM [which, btw, I applaud :)]. There's a whole bunch of things that can go wrong on either side -- this is where the openssl command-line program comes in handy. What you want to do is manually generate some valid queries and valid answers to those queries, because what you're going to do is fake the server, and then fake the client. To fake the server, get the server cert and key out and put it into a new directory, name it server.pem, copy the CA cert to the new directory, name it CA.pem, and then type the following: 'openssl s_server -accept (portnum) -crlf -cert server.pem -CAfile CA.pem' (obviously, you want to replace portnum with the actual port you're trying to use -- MAKE SURE THAT NOTHING ELSE IS LISTENING ON IT, OR YOU WILL GET AN ERROR). Then, use the client to connect to it, and send a request. If it comes through properly (i.e., you can read it), the client is respecting the certificate that the server is sending. Hit ctrl-c to stop the server, and then do the same line, except append '-Verify CA.pem' to the end of it, and then perform the test again. If it comes through, then it's not an SSL problem on the client or server end, and you will have to look at gSOAP for the answer. To test what the server is sending back to the client, you use almost the same command, except it's: 'openssl s_client -connect hostname:port -verify CA.pem -cert client.pem -crlf -CAfile CA.pem' If you send a valid request via that mechanism, and it's logged as a valid request on the server side, then your problem is in your application (or, more specifically, its SOAP client library). I hope this helps you troubleshoot it. :) -Kyle H On 2/8/06, Lee Colclough <[EMAIL PROTECTED]> wrote: > Hi, thanks for the response, > > Sorry to post something this convoluted to the group, but I need help > and Kyle asked for more info - he may now regret that! Here is a bit > more detail: > > I currently have a GUI executable which calls functions and operations > on a DLL. What the DLL actually does is immaterial. My task is to make > the DLL run as Windows service, and allow the GUI to communicate with it > using SOAP (the gSOAP toolkit is being used for this). > > With this in mind, I have created an executable wrapper for the DLL, and > made it a SOAP service. My GUI executable has been turned into a SOAP > client, so now the GUI soap client uses SOAP remote procedure calls to > get the server to do stuff. Hope you followed that! > > The new client server layout works just fine - the soap messaging works, > and the client interacts with the server with no problems via the medium > of SOAP messaging. However, this breaks when I turn on the SSL stuff > which gSOAP supports using OpenSSL. > > gSOAP apparently makes this nice and easy - you have a client and a > server method which you pass the certificate names too, along with the > certificate store, key passwords, dh file etc. > > For testing purposes I run both the client and server on the same > machine, and using OpenSSL command line tools I have generated a root > CA, and used this to sign a server certificate and client certificate > (PEM format). > > Now, I don't get any errors at all from the certificates - at first when > I did this I got key errors and hostname mismatch errors, but now > nothing, so I believe I generated the certs properly. > > However, when the client sends the SOAP message to the server via https > and the SOAP deserialiser parses it, it is still garbage. The gSOAP > toolkit provide sent and received log files at both ends - the client > sent file contains a valid SOAP message, the server received file > contains a load of junk (ie: the encrypted SOAP message). > > What I am really asking for is this - I generate the certificates as > stated then concatenate the server key to the server cert, and likewise > for the client key and cert. These concatenated PEM files are then used > as the certificates at both ends. When I do this, the encryption seems > to work but decryption does not. Do you have any idea of what this > could be, as I am lost! > > From what I can see, I think I'm getting confused over what the server > actually wants when it says a certificate - if I have generated a server > certificate and key, is that what it is expecting? > > I know I'm presupposing a lot of knowledge of gSOAP, but I don't think > it's gSOAP specific - that's just one method call where I tell it where > to find the certificate. > > Still a confusing explanation I know, but it's a confusing problem! > > Hope this helps a little, many thanks in advance for anyone who trawled > through all this! > > Lee Colclough ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
