hello,
so close, yet so far....
i fixed it where the client is sending the it's certs over and the
handshake is complete. but i have two problems:
1. for different clients, i have different CA certs. so i load them all
up when the server starts up using:
SSL_CTX_load_verify_locations(ssl_ctx, <CA cert location>,NULL)
and then when it is time for a renegotiation, i call:
SSL_set_client_CA_list(...)
with only the CA names that the particular client's certs are for. but
even when the CA certs CN and the client cert's issuer CN do not match,
the handshake completes successfully. i'm i wrong in assuming that it
should fail? or does openssl on the server side (which i am writing),
does not check to make sure the the cert and the CA cert match?
2. Given the cert and CA certs, is there a nice and simple call, like
SSL_make_sure_certs_match_CA_certs(X509 *cert, STACK_OF(X509_NAME)
*ca_stack)? that would really make my day.
thanks everyone for all there help on this questions, the past
questions, and the undoubtedly future questions,
-=- adam grossman
On Wed, 2010-01-27 at 23:29 -0500, Adam Grossman wrote:
> i am trying to emulate something that mod_ssl does, and it used 0.9.7d.
> i verified that the same exact certs are working on another system.
> Also, the CA cert on the server has the correct CN. to load the client
> CA i use:
>
> list=SSL_load_client_CA_file(<path to CA cert>);
> SSL_set_client_CA_list(ssl, list);
>
> and then call the rest of the functions i described in my original
> message.
>
> SSL_set_verify(ssl, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,NULL);
> SSL_renegotiate(ssl);
> SSL_do_handshake(ssl);
> ssl->state=SSL_ST_ACCEPT;
> SSL_do_handshake(ssl);
>
>
> could i be missing something or calling something incorrectly?
>
> thanks,
> -=- adam grossman
>
> On Wed, 2010-01-27 at 22:01 -0500, Brett Schoppert wrote:
> > Not sure if the problem I had it is the same as yours, but I meant 0.9.8k (
> > not 7k ).
> >
> > I first verified my setup was working ( certs were correct, etc. ) by
> > setting up client-side SSL for the whole VirtualHost once that worked, I
> > changed it to be only for a specific location where it had to renegotiate
> > and it failed ( until switching to 0.9.8k ).
> >
> > I don't know what your server application does, but maybe you could do
> > something similar where you could verify the everything without
> > renegotiation ... just to narrow down that it is the renegotiation causing
> > a problem and not the rest of the setup ?
> >
> >
> > -----Original Message-----
> > From: owner-openssl-us...@openssl.org
> > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Adam Grossman
> > Sent: Wednesday, January 27, 2010 9:37 PM
> > To: openssl-users@openssl.org
> > Subject: RE: renegotiation with client certificate
> >
> > i just tried 0.9.7m, and to no avail. i double checked my certs, i made
> > sure my CA cert on the server is correct, and i am still getting the
> > same error on the server and the browser is giving to "Peer does not
> > recognize and trust the CA that issued your certificate."
> >
> > thanks,
> > -=- adam grossman
> >
> > On Wed, 2010-01-27 at 17:53 -0500, Brett Schoppert wrote:
> > > I recently had the same issue that was resolved when I changed Apache to
> > > use 0.9.7k.
> > >
> > > -----Original Message-----
> > > From: owner-openssl-us...@openssl.org
> > > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Adam Grossman
> > > Sent: Wednesday, January 27, 2010 5:01 PM
> > > To: openssl-users@openssl.org
> > > Subject: renegotiation with client certificate
> > >
> > > hello.
> > >
> > > I am having trouble getting my server renegotiation working with client
> > > certificates. Without certificates, it works fine. The one thing is
> > > that the server initially does not need a client cert, but it does
> > > during renegotiation (a requirement i have that is out of my hands).
> > >
> > > i am using 0.9.7d.
> > >
> > > The server talks to a web browser. This is what i am doing (leaving out
> > > the error handling):
> > >
> > > SSL_set_verify(ssl, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,
> > > NULL);
> > > SSL_renegotiate(ssl);
> > > SSL_do_handshake(ssl);
> > > ssl->state=SSL_ST_ACCEPT;
> > > SSL_do_handshake(ssl);
> > >
> > > when it renegotiates, the browser says "The site requested you to
> > > identify yourself with a certificate". but then the 2nd handshake gives
> > > the error:
> > >
> > > 1780:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> > > certificate returned:s3_srvr.c:2010:
> > >
> > > i even looked at mod_ssl, and it seems to be doing the samething. what
> > > am i missing?
> > >
> > > thanks everyone once again,
> > > -=- adam grossman
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List openssl-users@openssl.org
> > > Automated List Manager majord...@openssl.org
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List openssl-users@openssl.org
> > > Automated List Manager majord...@openssl.org
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
