Hello,
I am adding client peer verification to my own server but I continue to receive
an error:
SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_srvr.c:2631:
Here you go some relevant code:
SERVER:
ssl_initialize called at startup
int ssl_initialize (void)
{
SSL_CTX *CTX = NULL;
char ssl_certificate[MAXPATH];
char root_certificate[MAXPATH];
int i, size;
// initialize SSL crap
SSL_library_init();
SSL_load_error_strings();
// allocate CTX opaque datatype
if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL)
goto initialize_ssl_abort;
// check if a root CA file is present
if (get_path_to_root_ca_file(root_certificate)) {
settings.ssl_verify_peer = kTRUE;
if (SSL_CTX_load_verify_locations(CTX, root_certificate, NULL)
!= 1) {
goto initialize_ssl_abort;
}
if (SSL_CTX_set_default_verify_paths(CTX) != 1) {
goto initialize_ssl_abort;
}
}
// try to set up SSL certificate
if (get_path_to_ssl_certificate(ssl_certificate)) {
if (SSL_CTX_use_certificate_file(CTX, ssl_certificate,
SSL_FILETYPE_PEM) == 0) {
goto initialize_ssl_abort;
}
else if (CTX != NULL && SSL_CTX_use_PrivateKey_file(CTX,
ssl_certificate, SSL_FILETYPE_PEM) == 0) {
goto initialize_ssl_abort;
}
} else {
log_system("SSL certificate not found. SSL server could refuse
connections from clients.");
}
// try to set up SSL chain file
if (get_path_to_ssl_chain_file(ssl_certificate)) {
if (SSL_CTX_use_certificate_chain_file(CTX, ssl_certificate) ==
0) {
goto initialize_ssl_abort;
}
}
if (settings.ssl_verify_peer) {
log_system("SSL peer verification activated.");
SSL_CTX_set_verify(CTX,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
SSL_CTX_set_verify_depth(CTX, 4);
}
// initialize locking callbacks, needed for thread safety.
// http://www.openssl.org/support/faq.html#PROG1
size = sizeof(pthread_mutex_t) * CRYPTO_num_locks();
if ((settings.ssl_mutexes = (pthread_mutex_t *)
cubesql_malloc((size_t)size)) == NULL) {
goto initialize_ssl_abort;
}
for (i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_init(&settings.ssl_mutexes[i], NULL);
}
CRYPTO_set_locking_callback(&ssl_locking_callback);
CRYPTO_set_id_callback(&ssl_id_callback);
settings.ssl_ctx = CTX;
return kTRUE;
initialize_ssl_abort:
DEBUG_WRITE("SSL initialization error: %s", ssl_error());
log_system("ssl_initialize failed.");
return kFALSE;
}
and this code called each time a new client connects:
client->ssl = SSL_new(settings.ssl_ctx);
if (client->ssl == NULL) return kFALSE;
if (client->ssl) {
int r1 = 0, r2 = 0;
r1 = SSL_set_fd(client->ssl, client->connfd);
if (r1) r2 = SSL_accept(client->ssl);
// ERROR CHECK
if ((r1 != 1) || (r2 != 1)) {
SSL_shutdown(client->ssl);
SSL_free(client->ssl);
client->ssl = NULL;
return kFALSE;
}
if (settings.ssl_verify_peer) {
if (ssl_post_connectioncheck(client) == kFALSE) {
SSL_shutdown(client->ssl);
SSL_free(client->ssl);
client->ssl = NULL;
return kFALSE;
}
}
}
SSL3_GET_CLIENT_CERTIFICATE:no certificate is returned by SSL_accept.
CLIENT:
init ssl:
// allocate CTX opaque datatype
if ((db->ssl_ctx = SSL_CTX_new(SSLv3_client_method())) == NULL)
goto load_ssl_abort;
// try to set up SSL certificate
if (ssl_certificate != NULL) {
if (SSL_CTX_use_certificate_file(db->ssl_ctx, ssl_certificate,
SSL_FILETYPE_PEM) == 0) {
goto load_ssl_abort;
}
else if (db->ssl_ctx != NULL &&
SSL_CTX_use_PrivateKey_file(db->ssl_ctx, ssl_certificate, SSL_FILETYPE_PEM) ==
0) {
goto load_ssl_abort;
}
}
Server has root.pem and server.pem
while client has client.pem
Certificates has been created using:
To create the root CA:
$ openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
$ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey
rootkey.pem -out rootcert.pem
$ cp rootkey.pem rootkey.pem.copy
$ openssl rsa -in rootkey.pem.copy -out rootkey.pem
$ cat rootcert.pem rootkey.pem > root.pem
To create the server CA and sign it with the root CA:
$ openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out
serverCAreq.pem
$ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA root.pem
-CAkey root.pem -CAcreateserial -out serverCAcert.pem
$ cp serverCAkey.pem serverCAkey.pem.copy
$ openssl rsa -in serverCAkey.pem.copy -out serverCAkey.pem
$ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
To create the server's certificate and sign it with the Server CA:
$ openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
$ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA
serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
$ cp serverkey.pem serverkey.pem.copy
$ openssl rsa -in serverkey.pem.copy -out serverkey.pem
$ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem
To create the client certificate and sign it with the Root CA
$ openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
$ openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA root.pem
-CAkey root.pem -CAcreateserial -out clientcert.pem
$ cp clientkey.pem clientkey.pem.copy
$ openssl rsa -in clientkey.pem.copy -out clientkey.pem
$ cat clientcert.pem clientkey.pem rootcert.pem > client.pem
Any help would be really really appreciated.
Thanks a lot.
--
Marco Bambini
http://www.sqlabs.com
http://twitter.com/sqlabs
http://instagram.com/sqlabs
