Hello, thanks to your help I made some progresses (I also removed the intermediate CA file).
Using the command line: openssl s_client -connect localhost:4430 -cert /Users/test/client.pem -state I obtain: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:unknown CA SSL_connect:failed in SSLv3 read finished A 4722:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL alert number 48 4722:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182: so it seems that the real error is "unknown CA". Please note that on server side I successfully call: list = SSL_load_client_CA_file(root_certificate); if (list != NULL) SSL_CTX_set_client_CA_list(CTX, list); In my opinion the real issue is the way certificate files are generated starting from root CA certificates. Here you go the up to date command line I use to generate root.pem, server.pem, client.pem: To create the root CA: ================= $ openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem $ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey rootkey.pem -out rootcert.pem $ cp rootkey.pem rootkey.pem.copy $ openssl rsa -in rootkey.pem.copy -out rootkey.pem $ cat rootcert.pem rootkey.pem > root.pem To create the server's certificate and sign it with the root CA: ============================================= $ openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem $ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem $ cp serverkey.pem serverkey.pem.copy $ openssl rsa -in serverkey.pem.copy -out serverkey.pem $ cat servercert.pem serverkey.pem rootcert.pem > server.pem To create the client certificate and sign it with the Root CA ============================================ $ openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem $ openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem $ cp clientkey.pem clientkey.pem.copy $ openssl rsa -in clientkey.pem.copy -out clientkey.pem $ cat clientcert.pem clientkey.pem rootcert.pem > client.pem Thanks a lot for any help. -- Marco Bambini http://www.sqlabs.com http://twitter.com/sqlabs http://instagram.com/sqlabs On 26 Jul 2014, at 17:19, Michael Wojcik <michael.woj...@microfocus.com> wrote: > Reduce the problem space. Try to connect to your server with openssl > s_client, and to connect your client to openssl s_server. > > Incidentally, in your original note you describe a "root CA" and a "server > CA". Why are you using an intermediate issuing certificate? It's a lot > simpler to have your server certificate signed directly by the root, if you > don't need an intermediate for some reason. > > Michael Wojcik > Technology Specialist, Micro Focus > > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Marco Bambini > Sent: Saturday, 26 July, 2014 04:26 > To: openssl-users@openssl.org > Subject: Re: Adding client peer verification to my server > > Hello, > even after adding: > SSL_CTX_set_client_CA_list(CTX, > SSL_CTX_load_client_CA_file("/path/to/CAcerts.pem")); > (please note that SSL_CTX_load_client_CA_file returns no error) > > I continue to receive: > error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate > returned:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_srvr.c:2631: > > I am surely doing something wrong... probably on client side. > Any help? > -- > Marco Bambini > http://www.sqlabs.com > http://twitter.com/sqlabs > http://instagram.com/sqlabs > > > > On 25 Jul 2014, at 18:44, Michael Wojcik <michael.woj...@microfocus.com> > wrote: > > > Unless I've overlooked it, you don't appear to be calling > SSL_CTX_set_client_CA_list or SSL_CTX_add_client_CA anywhere. > > When an SSL/TLS server wants to request a peer certificate, it has to send a > list of the CAs it recognizes to the client, so the client knows which > certificate to send. (The client may have a number of certificates, issued by > various CAs; for example, the client might be a browser running on behalf of > a user who has an internally-issued company certificate and a personal > certificate issued by a well-known commercial CA.) > > The simplest API to set that up in OpenSSL is SSL_CTX_load_client_CA_file: > > SSL_CTX_set_client_CA_list(CTX, > SSL_CTX_load_client_CA_file("/path/to/CAcerts.pem")); > > (or with, you know, error handling, if you want to be fancy). See > http://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html. > > Michael Wojcik > Technology Specialist, Micro Focus > > > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Marco Bambini > Sent: Friday, 25 July, 2014 03:36 > To: openssl-users@openssl.org > Subject: Adding client peer verification to my server > > Hello, > I am adding client peer verification to my own server but I continue to > receive an error: > SSL3_GET_CLIENT_CERTIFICATE:no certificate > returned:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_srvr.c:2631: > > Here you go some relevant code: > > SERVER: > ssl_initialize called at startup > > int ssl_initialize (void) > { > SSL_CTX *CTX = NULL; > char ssl_certificate[MAXPATH]; > char root_certificate[MAXPATH]; > int i, size; > > // initialize SSL crap > SSL_library_init(); > SSL_load_error_strings(); > > // allocate CTX opaque datatype > if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL) > goto initialize_ssl_abort; > > // check if a root CA file is present > if (get_path_to_root_ca_file(root_certificate)) { > settings.ssl_verify_peer = kTRUE; > if (SSL_CTX_load_verify_locations(CTX, > root_certificate, NULL) != 1) { > goto initialize_ssl_abort; > } > if (SSL_CTX_set_default_verify_paths(CTX) != 1) > { > goto initialize_ssl_abort; > } > } > > // try to set up SSL certificate > if (get_path_to_ssl_certificate(ssl_certificate)) { > if (SSL_CTX_use_certificate_file(CTX, > ssl_certificate, SSL_FILETYPE_PEM) == 0) { > goto initialize_ssl_abort; > } > else if (CTX != NULL && > SSL_CTX_use_PrivateKey_file(CTX, ssl_certificate, SSL_FILETYPE_PEM) == 0) { > goto initialize_ssl_abort; > } > } else { > log_system("SSL certificate not found. SSL > server could refuse connections from clients."); > } > > // try to set up SSL chain file > if (get_path_to_ssl_chain_file(ssl_certificate)) { > if (SSL_CTX_use_certificate_chain_file(CTX, > ssl_certificate) == 0) { > goto initialize_ssl_abort; > } > } > > if (settings.ssl_verify_peer) { > log_system("SSL peer verification activated."); > SSL_CTX_set_verify(CTX, > SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); > SSL_CTX_set_verify_depth(CTX, 4); > } > > // initialize locking callbacks, needed for thread safety. > // http://www.openssl.org/support/faq.html#PROG1 > size = sizeof(pthread_mutex_t) * CRYPTO_num_locks(); > if ((settings.ssl_mutexes = (pthread_mutex_t *) > cubesql_malloc((size_t)size)) == NULL) { > goto initialize_ssl_abort; > } > > for (i = 0; i < CRYPTO_num_locks(); i++) { > pthread_mutex_init(&settings.ssl_mutexes[i], > NULL); > } > > CRYPTO_set_locking_callback(&ssl_locking_callback); > CRYPTO_set_id_callback(&ssl_id_callback); > > settings.ssl_ctx = CTX; > return kTRUE; > > initialize_ssl_abort: > DEBUG_WRITE("SSL initialization error: %s", ssl_error()); > log_system("ssl_initialize failed."); > return kFALSE; > } > > and this code called each time a new client connects: > > client->ssl = SSL_new(settings.ssl_ctx); > if (client->ssl == NULL) return kFALSE; > if (client->ssl) { > int r1 = 0, r2 = 0; > r1 = SSL_set_fd(client->ssl, client->connfd); > if (r1) r2 = SSL_accept(client->ssl); > > // ERROR CHECK > if ((r1 != 1) || (r2 != 1)) { > SSL_shutdown(client->ssl); > SSL_free(client->ssl); > client->ssl = NULL; > return kFALSE; > } > > if (settings.ssl_verify_peer) { > if (ssl_post_connectioncheck(client) == kFALSE) > { > SSL_shutdown(client->ssl); > SSL_free(client->ssl); > client->ssl = NULL; > return kFALSE; > } > } > } > > SSL3_GET_CLIENT_CERTIFICATE:no certificate is returned by SSL_accept. > > CLIENT: > init ssl: > // allocate CTX opaque datatype > if ((db->ssl_ctx = SSL_CTX_new(SSLv3_client_method())) == NULL) > goto load_ssl_abort; > > // try to set up SSL certificate > if (ssl_certificate != NULL) { > if (SSL_CTX_use_certificate_file(db->ssl_ctx, ssl_certificate, > SSL_FILETYPE_PEM) == 0) { > goto load_ssl_abort; > } > else if (db->ssl_ctx != NULL && > SSL_CTX_use_PrivateKey_file(db->ssl_ctx, ssl_certificate, SSL_FILETYPE_PEM) > == 0) { > goto load_ssl_abort; > } > } > > Server has root.pem and server.pem > while client has client.pem > > Certificates has been created using: > > To create the root CA: > > $ openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem > $ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey > rootkey.pem -out rootcert.pem > $ cp rootkey.pem rootkey.pem.copy > $ openssl rsa -in rootkey.pem.copy -out rootkey.pem > $ cat rootcert.pem rootkey.pem > root.pem > > > To create the server CA and sign it with the root CA: > > $ openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out > serverCAreq.pem > $ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA root.pem > -CAkey root.pem -CAcreateserial -out serverCAcert.pem > $ cp serverCAkey.pem serverCAkey.pem.copy > $ openssl rsa -in serverCAkey.pem.copy -out serverCAkey.pem > $ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem > > To create the server's certificate and sign it with the Server CA: > > $ openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem > $ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA > serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem > $ cp serverkey.pem serverkey.pem.copy > $ openssl rsa -in serverkey.pem.copy -out serverkey.pem > $ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem > > > To create the client certificate and sign it with the Root CA > > $ openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem > $ openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA root.pem > -CAkey root.pem -CAcreateserial -out clientcert.pem > $ cp clientkey.pem clientkey.pem.copy > $ openssl rsa -in clientkey.pem.copy -out clientkey.pem > $ cat clientcert.pem clientkey.pem rootcert.pem > client.pem > > > Any help would be really really appreciated. > Thanks a lot. > -- > Marco Bambini > http://www.sqlabs.com > http://twitter.com/sqlabs > http://instagram.com/sqlabs > > > > > > > Click here to report this email as spam. > > > > This message has been scanned for malware by Websense. www.websense.com > > > > > -- > Marco Bambini > http://www.sqlabs.com > http://twitter.com/sqlabs > http://instagram.com/sqlabs > -- Marco Bambini http://www.sqlabs.com http://twitter.com/sqlabs http://instagram.com/sqlabs
