Openssl backend for glib

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl backend for glib

Ignacio Casal
Hey guys,

I am currently working on an openssl backend for glib and I got to a point where I am blocked and maybe you can help me understand what I am doing wrong.

First of all the source code can be found here: https://github.com/nice-software/glib-networking/tree/wip/openssl

The problem is the next, on one of our unit tests we require a specific authentication, meaning that I endup calling SSL_set_verify, as you can see here: https://github.com/nice-software/glib-networking/blob/wip/openssl/tls/openssl/gtlsserverconnection-openssl.c#L127

This should make the server require the client to send the certificate but for some reason this certificate is never sent and I endup having an error when handshaking.

I was reading that I can just simply set the certificate callback as I do here: https://github.com/nice-software/glib-networking/blob/wip/openssl/tls/openssl/gtlsclientconnection-openssl.c#L437

This callback gets called and I set the certificate but adding some debugging on openssl's code I see I keep getting that the server does not get the certificate.

Here is a extract of the printfs I added to the openssl code. Any ideas?

server, accept
server, get client hello: 1
server, send server hello: 1
server, send server cert: 1
server, send cert request: 1
connect1
get server hello: 1
get key exchange: 1
get cert request: 1
get server done: 1
do client cert cb: 1
do client cert cb2: 1
do client cert cb4: 1
do client cert cb do write
send client cert: 1
send client key exchange: 1
send client verify: 1
change cipher spec: 1
send finished: 1
server, check client hello: 1
server, get client cert: -1
server, accept2: -1
finish not ok
get finsihed: 0
connect2: 0


Cheers.


--
Ignacio Casal Quinteiro

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl backend for glib

Ignacio Casal
So I made a bit more research on this issue. The certificate seems to be loaded and sent to the server.
But then the server fails to verify that certificate since it does not have the ca-list that was loaded for the client.
The error that I get server side is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
Any idea how to deal with this issue?

Should I try to skip this kind of verification server side?

Regards

On Mon, Aug 24, 2015 at 2:41 PM, Ignacio Casal <[hidden email]> wrote:
Hey guys,

I am currently working on an openssl backend for glib and I got to a point where I am blocked and maybe you can help me understand what I am doing wrong.

First of all the source code can be found here: https://github.com/nice-software/glib-networking/tree/wip/openssl

The problem is the next, on one of our unit tests we require a specific authentication, meaning that I endup calling SSL_set_verify, as you can see here: https://github.com/nice-software/glib-networking/blob/wip/openssl/tls/openssl/gtlsserverconnection-openssl.c#L127

This should make the server require the client to send the certificate but for some reason this certificate is never sent and I endup having an error when handshaking.

I was reading that I can just simply set the certificate callback as I do here: https://github.com/nice-software/glib-networking/blob/wip/openssl/tls/openssl/gtlsclientconnection-openssl.c#L437

This callback gets called and I set the certificate but adding some debugging on openssl's code I see I keep getting that the server does not get the certificate.

Here is a extract of the printfs I added to the openssl code. Any ideas?

server, accept
server, get client hello: 1
server, send server hello: 1
server, send server cert: 1
server, send cert request: 1
connect1
get server hello: 1
get key exchange: 1
get cert request: 1
get server done: 1
do client cert cb: 1
do client cert cb2: 1
do client cert cb4: 1
do client cert cb do write
send client cert: 1
send client key exchange: 1
send client verify: 1
change cipher spec: 1
send finished: 1
server, check client hello: 1
server, get client cert: -1
server, accept2: -1
finish not ok
get finsihed: 0
connect2: 0


Cheers.


--
Ignacio Casal Quinteiro



--
Ignacio Casal Quinteiro

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users