> From: owner-openssl-us...@openssl.org On Behalf Of sa...@zxid.org > Sent: Wednesday, 26 September, 2012 06:46
> Matthias Apitz <g...@unixarea.de> said: > > and was a bit surprised that the connection went fine and > the "wserver" > > accepts the SSL connection and responds fine with its dummy > message. The > > openssl client does not need any key files to connect... > > In normal SSL, only the server needs certificate and private > key. In the > protocol handshake it sends the certificate to the client so > client can operate completely by simply trusting the certificate it > gets from the handshake. > > Of course client should not be so naive. It should verify the > validity if the certificate it gets from the handshake. Usually > this should mean at least one access to filesystem to get > the root certificate (CA certificate) to check the connection's > certificate. You should see that access with truss or strace. > > (BTW, there is such thing as ClientTLS where client actually > authenticates > to the server. In that scenario client does need itsown certificate > and private key, but I do not think you were attempting to do that.) > He apparently was. He said explicitly that wclient.c is calling _use_PrivateKey_file, and that truss shows access to both client.pem and root.pem (to verify the server). Although for clientauth to actually work, wclient.c needs to also call _use_certificate_ (or _use_certificate_chain_) which should show a second read of client.pem, assuming his file names are accurate. To be clear: "ClientTLS" isn't a separate thing. TLS protocol has three options: no-auth (anonymous), server-auth-only, and both-server-and-client-auth. In practice 99% of usage is server-auth, but all three are TLS and supported by OpenSSL. > > The output of the openssl client about the connection is > attached below > > as "nohup.out". > > In nohup.out you see > > >> depth=1 /C=DE/ST=Germany/O=xxxxxxxxxxxxxxx > GmbH/OU=SolarTech/CN=Matthias > >> verify error:num=19:self signed certificate in certificate chain > >> verify return:0 > >> CONNECTED(00000004) > > Basically this means that s_client should have failed the connection. > It detected a self signed certificate and unless it is configured > to accept them, it should consider it to be invalid. > Yes, but ... > Perhaps the s_client code is not a good example of the > validity checking > that should be done to the certificates? I think the code was written > to print the error but continue anyway. This is not how it should be > in real life: you should abort the connection if you do not trust the > certificate. > Exactly. s_client, like most of the commandline utilities, is intended partly as a test tool, not so much a real application. For a test tool it is often useful to ignore verify errors. You can manually abort if if you distrust the server cert or dislike the server or connection for any other reason. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
