Hello,
> I am trying to add client certificate support to Daquiri which is
> using openssl for https connections already.
>
> http://omniti.com/~jesus/projects/
>
> So before creating the SSL with SSL_new I am loading our client
> certificate CA's certificate chain into the context with:
>
> int load_client_ca(SSL_CTX *ctx, const char *clientca) {
> STACK_OF(X509_NAME) *cert_stack;
>
> if(!SSL_CTX_load_verify_locations(ctx,clientca,NULL)) {
> fprintf(stderr, "Failed loading verify locations from %s\n", clientca);
> return -1;
> }
> cert_stack = SSL_load_client_CA_file(clientca);
> if(!cert_stack) {
> fprintf(stderr, "Could not load CA client list from %s\n", clientca);
> return -1;
> } else {
> SSL_CTX_set_client_CA_list(ctx, cert_stack);
> }
> return 0;
> }
>
> Then I set the password callback
>
> SSL_CTX_set_default_passwd_cb(ssl_ctx, passwd_callback);
>
> Then I load the client cert with the private key
>
> if(SSL_CTX_use_certificate_chain_file(ssl_ctx,
> "/home/torsten/torsten.pem") != 1) {
> fprintf(stderr, "Failed loading certificate\n");
> }
Try SSL_CTX_use_PrivateKey_file() to load private key
(and I suggest SSL_CTX_check_private_key() to check
private key to certificate compatibility).
> But on a connect
>
> ssl_err = SSL_connect(hr->ssl);
> if (ssl_err < 0)
> {
> error_printf("Hard error %d on SSL_connect for fd %d\n",
> ssl_err, event->fd);
>
> I always get a -1 return code and the password callback is not getting
> called at all
Add ERR_print_errors_fp(stderr); to get more information.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
