I am having a problem with my program. I have a client - server
application where both sides need to see the other sides certificate. On
the server, when I do a SSL_get_peer_certificate(ssl) I get nothing
returned.
>From a trace of the client I see this happening:
LOOP: SSL connect: before/connect initialization
LOOP: SSL connect: SSLv2/v3 write client hello A
LOOP: SSL connect: SSLv3 read server hello A
LOOP: SSL connect: SSLv3 read server certificate A
LOOP: SSL connect: SSLv3 read server done A
LOOP: SSL connect: SSLv3 write client key exchange A
LOOP: SSL connect: SSLv3 write change cipher spec A
LOOP: SSL connect: SSLv3 write finished A
LOOP: SSL connect: SSLv3 flush data
LOOP: SSL connect: SSLv3 read finished A
INFO: SSL connect: SSL negotiation finished successfully
Which looks like the client sent it over. On the server side I see this:
LOOP: SSL accept: before/accept initialization
LOOP: SSL accept: SSLv3 read client hello A
LOOP: SSL accept: SSLv3 write server hello A
LOOP: SSL accept: SSLv3 write certificate A
LOOP: SSL accept: SSLv3 write server done A
LOOP: SSL accept: SSLv3 flush data
INFO: SSL accept: SSLv3 read client certificate A
INFO: SSL accept: SSLv3 read client certificate A
LOOP: SSL accept: SSLv3 read client key exchange A
LOOP: SSL accept: SSLv3 read finished A
LOOP: SSL accept: SSLv3 write change cipher spec A
LOOP: SSL accept: SSLv3 write finished A
LOOP: SSL accept: SSLv3 flush data
INFO: SSL accept: SSL negotiation finished successfully
Which seems to indicate the server got it.
One other thing that is strange, if I set SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT I get this error thrown back in the server:
BIO.BIOError: (19, 'no certificate returned')
On the client side of the equation I setup my SSL context and do a
SSL_CTX_use_certificate and SSL_CTX_use_privkey. The calls return
success (I follow it up with a SSL_CTX_check_privkey just to make sure
the private key and the cert are matched up).
Here is the client side code (in Python)
ctx = SSL.Context()
if ctx.load_verify_locations('cacert.pem') != 1:
raise Exception('CA certificates not loaded')
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_cert('client.pem',keyfile='client-key.pem',callback=zzz)
The server side code (also in python) is:
ctx = SSL.Context()
getCertListAsX509Store(ctx.get_cert_store())
ctx.set_allow_unknown_ca(False)
ctx.set_verify(SSL.verify_peer+SSL.verify_fail_if_no_peer_cert,9)
ssl_ctx_use_x509(ctx.ctx,CA.TSRootCertificate._ptr())
ssl_ctx_use_pkey_privkey(ctx.ctx,CA.TSRootPKey._ptr())
I was wondering if any one can see anything obvious that I am doing wrong.
Thanks in advance,
Chaz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
