A few months ago I asked:
> I am having some trouble with the examples in Rescorla's _SSL and TLS:
> Designing and Building Secure Systems_ book. I feel like I am making
> a minor mistake somewhere, but I'm just overlooking where. I would
> appreciate another set of eyes to tell me where I am going wrong.
...then I got wicked busy. Nobody contacted me with a solution, so I
tracked down the problem myself. I simply forgot to get back to this
list with my solution.
Anyways, if you apply the following patch to the code that Rescorla
distributes, the examples in his book should work for you.
I hope this patch is useful to others.
Kind regards,
--kevin
--
GnuPG ID: B280F24E Meet me by the knuckles
alumni.unh.edu!kdc of the skinny-bone tree.
http://kdc-blog.blogspot.com/ -- Tom Waits
diff -Naur c-examples.orig/Makefile c-examples/Makefile
--- c-examples.orig/Makefile 2000-10-09 05:38:19.000000000 +0000
+++ c-examples/Makefile 2009-02-20 19:14:50.000000000 +0000
@@ -1,6 +1,6 @@
-OPENSSLDIR=/users/ekr/src/freebsd/openssl-0.9.4
-CFLAGS=-g -I$(OPENSSLDIR)/include
-LD=-L$(OPENSSLDIR) -lssl -lcrypto
+
+CFLAGS=-g # -Werror -Wall -Wcast-qual
+LD=-lssl -lcrypto
OBJS=common.o
@@ -20,3 +20,115 @@
mserver: server.o mserver.o echo.o $(OBJS)
$(CC) mserver.o server.o echo.o $(OBJS) -o mserver $(LD)
+
+
+#########################################################################
+#########################################################################
+#########################################################################
+
+
+.PHONY: test-clean test-setup create_dh_group create_random_data
create_ca_keypair_rsa create_ca_keypair_dsa create_ca_cert
create_server_keypair_rsa create_server_keypair_dsa do_signing_server
create_client_keypair_rsa create_client_keypair_dsa do_signing_client
+
+
+create_dh_group:
+ @echo Creating DH group
+# openssl dhparam -check -text -5 1024 -out dh1024.pem
+ openssl dhparam -check -text -2 1024 -out dh1024.pem
+
+create_random_data:
+ @echo Generating some random data \(THIS TAKES SOME TIME\)
+ # todo: make this obtain more random data
+ dd if=/dev/random of=random.pem count=1 bs=128
+
+create_ca_keypair_rsa:
+ @echo Generate CA RSA keypair
+ openssl genrsa -des3 -passout pass:password -out ca_key.pem 2048
+
+create_ca_keypair_dsa:
+ @echo Generate CA DSA keypair
+ expect -c 'set timeout -1; \
+ spawn openssl gendsa -des3 -out ca_key.pem dsa_params ;\
+ expect "Enter PEM pass phrase" ; \
+ send -- "password\r"; \
+ expect "Verifying - Enter PEM pass phrase" ; \
+ send -- "password\r" ; expect eof'
+
+create_ca_cert:
+ @echo Generate public-key certificate for CA
+ (echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
+ echo engineering ; echo localhost ; \
+ echo ) \
+ | openssl req -new -key ca_key.pem -x509 -days 3 -out ca_cert.cer
-passin pass:password
+ # cat ca_key.pem ca_cert.cer >root.pem
+ cp ca_cert.cer root.pem
+
+
+create_server_keypair_rsa:
+ @echo Generate Server RSA keypair
+ openssl genrsa -des3 -passout pass:password -out server_key.pem 2048
+ @echo Output public part of keypair to separate file
+ expect -c 'set timeout -1; \
+ spawn openssl rsa -in server_key.pem -pubout -outform PEM
-out server_pubkey.pem ;\
+ expect "Enter pass phrase" ; \
+ send -- "password\r" ; expect eof;'
+
+
+create_server_keypair_dsa:
+ @echo Generate Server DSA keypair
+ expect -c 'set timeout -1; \
+ spawn openssl gendsa -des3 -out server_key.pem dsa_params ;\
+ expect "Enter PEM pass phrase" ; \
+ send -- "password\r"; \
+ expect "Verifying - Enter PEM pass phrase" ; \
+ send -- "password\r" ; expect eof'
+
+do_signing_server:
+ @echo Generate Server Certificate Signing Request \(CSR\)
+ (echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
+ echo engineering ; echo localhost ; \
+ echo ; echo password ; \
+ echo XYZ Corp) \
+ | openssl req -new -key server_key.pem -out server_request.csr -passin
pass:password
+ @echo
+ @echo Have CA sign CSR
+ openssl x509 -req -days 3 -in server_request.csr -CA ca_cert.cer -CAkey
ca_key.pem -CAcreateserial -out server.cer -passin pass:password
+ @echo
+ @echo Creat .pem file that example wants
+ cat server_key.pem server.cer >server.pem
+
+
+create_client_keypair_rsa:
+ @echo Create Client RSA keypair
+ openssl genrsa -des3 -passout pass:password -out client_key.pem 2048
+
+create_client_keypair_dsa:
+ @echo Generate Client DSA keypair
+ # openssl dsaparam -out dsa_params 2048
+ # openssl gendsa -des3 -out client_key.pem dsa_params
+ expect -c 'set timeout -1; \
+ spawn openssl gendsa -des3 -out client_key.pem dsa_params ;\
+ expect "Enter PEM pass phrase" ; \
+ send -- "password\r"; \
+ expect "Verifying - Enter PEM pass phrase" ; \
+ send -- "password\r" ; expect eof'
+
+do_signing_client:
+ @echo Generate Client Certificate Signing Request \(CSR\)
+ (echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
+ echo engineering ; echo localhost ; \
+ echo ; echo password ; \
+ echo XYZ Corp) \
+ | openssl req -new -key client_key.pem -out client_request.csr -passin
pass:password
+ @echo
+ @echo Have CA sign CSR
+ openssl x509 -req -days 3 -in client_request.csr -CA ca_cert.cer -CAkey
ca_key.pem -CAcreateserial -out client.cer -passin pass:password
+ @echo
+ @echo Creat .pem file that example wants
+ cat client_key.pem client.cer >client.pem
+
+
+
+test-clean:
+ rm -f *.cer *.pem *.csr dhparam
+
+test-setup: create_dh_group create_random_data create_ca_keypair_rsa
create_ca_cert create_server_keypair_rsa do_signing_server
create_client_keypair_rsa do_signing_client
diff -Naur c-examples.orig/client.c c-examples/client.c
--- c-examples.orig/client.c 2000-10-09 05:38:19.000000000 +0000
+++ c-examples/client.c 2009-02-20 19:20:41.000000000 +0000
@@ -28,8 +28,17 @@
{
X509 *peer;
char peer_CN[256];
-
- if(SSL_get_verify_result(ssl)!=X509_V_OK)
+ long ssl_result;
+
+ ssl_result = SSL_get_verify_result(ssl);
+ if( ssl_result != X509_V_OK
+
+ /* kdc: I added this for my own testing ; you should think
+ carefully about whether you want this in your code */
+
+ && ssl_result != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+
+ )
berr_exit("Certificate doesn't verify");
/*Check the cert chain. The chain length
