Thank you. That information was exactly what I was looking for.
________________________________ From: Kyle Hamilton <aerow...@gmail.com> To: openssl-users@openssl.org Sent: Wed, February 10, 2010 7:26:52 PM Subject: Re: How to Authenticate a Client First, initialize the library and make sure you have the ability to understand any errors you might encounter during debugging. Call SSL_library_init() and SSL_load_error_strings(). Make sure that you provide a suitably random seed for the random number generator. Call RAND_load_file() on /dev/random or some other source of chaos. (text files, executable files, and almost any other files are bad ideas.) >From here, most of the overview can be found in the man page for ssl(3ssl). You create an SSL_CTX object with SSL_CTX_new(). Then, you load the information you want to use to authenticate with into that context, by calling SSL_CTX_use_PrivateKey() and SSL_CTX_use_certificate(). (SSL_CTX_use_PrivateKey() may need a passphrase to be input, if the private key is encrypted. Also, load the private key first. OpenSSL's private key format also includes the public key, and that's used to determine if the certificate you're asking to use also includes that public key.) If your certificate is signed by a sub-CA, you will also need to call SSL_CTX_use_certificate_chain_file() on the file that contains the PEM-formatted intermediate certificates. To verify the server, you will need the certificate from the root that signed the server's public key. Once you have that, call SSL_CTX_load_verify_locations() on it. Then, you create an SSL object from that SSL_CTX object with SSL_new(). Since you're the client, you're the one making the connection, so you call gethostbyname()/socket()/connect()/whatever to get your file handle. Once you get a connection, call SSL_set_fd with that handle, and then call SSL_connect() to initiate the handshake. In your processing loop, you're going to want to use SSL_read() and SSL_write() to read from and write to the descriptors, respectively. CAUTION: Immediately after calling these functions, call SSL_get_error(), and check its result code. If it is equal to SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, freeze your buffers exactly where they are and leave their contents untouched -- you need to call that function again with exactly the same parameters. (You can perform additional work here, as long as the data in those buffers stays intact and they're not moved at all. I use this to service other file descriptors in my main loops.) SSL_ERROR_NONE means that everything that you requested was completed, and you can thaw the buffers for reuse; almost anything else means that the connection failed. Read the manpage for SSL_get_error(3ssl) for the results and their meanings. Good luck. -Kyle H On Wed, Feb 10, 2010 at 12:46 PM, Dan Zwing <danzw...@yahoo.com> wrote: > Hello - > > I am writing a client program. I have a x509 certificate and a key pair. > The server needs to authenticate the client. What is the sequence of > openssl calls I need to make to pass the server my information. I see so > many different functions such as SSL_CTX_use_certificate versus > SSL_use_certificate or SSL_CTX_use_PrivateKey versus > SSL_CTX_use_RSAPrivateKey. I've read the openssl docs but don't understand > what functions to use. > > Thanks > Dan > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
