Hi Andreas, Below repo has examples to use OpenSSL for mTLS (mutual certificate authentication) with sample certificates. You can refer this.
https://github.com/TalkWithTLS/TalkWithTLS/blob/master/src/sample/openssl_tls13_server_both_auth.c https://github.com/TalkWithTLS/TalkWithTLS/blob/master/src/sample/openssl_tls13_client_both_auth.c On Thu, May 7, 2020 at 12:36 AM Andreas Tengicki <tengi...@autopoll.de> wrote: > Hello, > > I can not find a working mutual-TLS server/client example on github or > the whole internet. Only some example for pieces of code. Communication > via socket without and with encryption (openSSL) is working, but with > mTLS not. I believe that I theoretical understand mTLS, but the practice > will not work. > > The whole (small) project is here: > https://github.com/deckard-rick/mTLS-example > > Server Side > ========= > > I initialize the SSL-context without errors with (sample, error handling > is not in this email) > > SSL_CTX_set_ecdh_auto(srvCtx->ctx, 1); > SSL_CTX_set_verify(srvCtx->ctx, SSL_VERIFY_PEER or > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); > SSL_CTX_load_verify_locations(srvCtx->ctx,NULL,"../certs"); //???? > SSL_CTX_use_certificate_chain_file(srvCtx->ctx, > "../certs/server/ca.crt"); > SSL_CTX_use_certificate_file(srvCtx->ctx, > "../certs/server/server.crt", SSL_FILETYPE_PEM); > SSL_CTX_use_PrivateKey_file(srvCtx->ctx, > "../certs/server/server.key", SSL_FILETYPE_PEM); > SSL_CTX_check_private_key(srvCtx->ctx); > > the certificates are: > > ca.crt: Version: 3 (0x2) > Serial Number: > 5a:fc:74:e6:28:28:0e:df:5b:7a:50:9e:a8:18:e6:04:42:f0:fd:8d > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = > 42CA > Validity Not Before: May 6 09:21:23 2020 GMT Not After : May 6 > 09:21:23 2022 GMT > Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN > = 42CA > > server.crt: Version: 1 (0x0) > Serial Number: > 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:23 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = > 42CA > Validity Not Before: May 6 09:30:23 2020 GMT Not After : May 6 > 09:30:23 2021 GMT > Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = > debiandevdesktop01.sdctec.lokal > > debiandevdesktop01.sdctec.lokal is the FQDN of the development server > > Client Side > ========= > > SSL_CTX_set_ecdh_auto(ctx, 1); > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); > SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt"); > SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", > SSL_FILETYPE_PEM); > SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key", > SSL_FILETYPE_PEM); > > ca.crt: (see server) > > client.crt: Version: 1 (0x0) > Serial Number: > 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:24 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA > Validity Not Before: May 6 09:35:51 2020 GMT Not After : May 6 > 09:35:51 2021 GMT > Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = > CLIENT001 > > Error: > ===== > > If the client connects the server there are the following errors: > > server: > 139918902234240:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:../ssl/statem/statem_clnt.c:1915: > > client: > 139918902234240:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:../ssl/statem/statem_clnt.c:1915: > > I think, there is a problem with the certificates. But where is the > problem and why? > > The statement to create the certificates are in the project ./certs/ > read.me > > Thanks for any help, I'm looking since days for a solution and I believe > it is only a small bug. > > Best regards > > Andreas > > >
