> From: owner-openssl-us...@openssl.org On Behalf Of mail man
> Sent: Friday, 15 May, 2009 02:27
> I am using the demo files: openssl-0.9.8j/demos/ssl/cli.cpp and
serv.cpp (attached)
> Console output from server
...
> Client does not have certificate.
> Got 12 chars:'Hello World!'
> I have generated the self signed certificates using these
steps:
> Step 1: Generate private key
> openssl genrsa -des3 -out privkey.pem 2048
> Step 2: Create a certificate request
> openssl req -new -key privkey.pem -out cert.csr
> Step 3: Create a self-signed test certificate
> openssl req -new -x509 -key privkey.pem -out cacert.pem
-days 1095
> Serv.cpp has :
> #define CERTF HOME "cacert.pem"
> #define KEYF HOME "privkey.pem"
Your step 2 is useless; you never use the CSR for anything.
You could also combine steps 1 and 3; 'req' can create a CSR-or-cert
for an existing key, or generate a new key and use that for a CSR-or-cert.
But the way you have works, and is arguably slightly clearer.
A more realistic scenario is to create a _CA_ key and self-signed cert
(with req -newkey: -x509, or e.g. genrsa followed by req -new -x509)
and then a _different_ key and CSR (not cert) for your _server_,
and use openssl ca to issue a cert for that CSR (signed by the CA).
Or if a 'real' CA is available, only generate your server key and CSR,
have the CA issue your server cert, and use it with the CA's cert(s).
In these cases you would also need to provide the CA cert (out of band)
to the client if the client wanted to verify, which your sample doesn't.
> What does the statement in red "Client does not have certificate."
mean?
It means the client didn't provide a certificate to authenticate itself
during the SSL handshake sequence. The wording is a bit misleading,
since the server can't know for sure what the client has, only what
it presents through the protocol; it would be more accurate to say
something like 'client did not provide certificate'.
In fact, your sample server doesn't even request a client cert,
because it isn't the default. You need to call SSL_[CTX_]set_verify
with mode = at least SSL_SET_VERIFY_PEER.
If it did, your sample client has no code to provide a key+cert
to openssl for this purpose. There are two ways to do that if
and when you want to. If you know/decide in advance which to use,
simply set them in the same way as the server. If you want to react
to the server's specification of which CAs it supports by choosing
a suitable cert (and its related key), either automatically or with
the user's help, write and set a client_cert_callback.
> The client/server are able to communicate, right?
Yes. SSL/TLS itself does not require the client be authenticated.
That is an option, and an option that some servers may demand
but your sample one does not even request.
In fact in v3/TLS, _server_ authentication also can be bypassed
using an anonymous ciphersuite, though some clients may not handle this.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
