SSL based client authentication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL based client authentication

Snuggles
Hi,

I'm writing my own webserver and I want it to be able to do SSL based client authentication. It can already do HTTPS, but when I try to do the SSL based client authentication, the connection gets dropped. I use the following routine to bind a SSL socket.

SSL_CTX *ssl_binding(char *keyfile, char *CA_cert, int verify_depth, char *dh_file, char *ciphers) {
    SSL_METHOD *meth;
    SSL_CTX    *context;

    if ((meth = SSLv23_method()) == NULL) {
        fprintf(stderr, "SSLv23_method() error\n");
        return NULL;
    }
    if ((context = SSL_CTX_new(meth)) == NULL) {
        fprintf(stderr, "SSL_CTX_new() error\n");
        return NULL;
    }

    SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);

    if (SSL_CTX_use_certificate_chain_file(context, keyfile) != 1) {
        fprintf(stderr, "Error while reading certificate from %s\n", keyfile);
        return NULL;
    }

    SSL_CTX_set_default_passwd_cb(context, sslPasswordCB);
    if (SSL_CTX_use_PrivateKey_file(context, keyfile, SSL_FILETYPE_PEM) != 1) {
        fprintf(stderr, "Error while reading private key from %s\n", keyfile);
        return NULL;
    }

    if (CA_cert != NULL) {
        SSL_CTX_load_verify_locations(context, CA_cert, NULL);
        SSL_CTX_set_verify_depth(context, verify_depth);
        SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
    }
    if (dh_file != NULL) {
        if (load_dh_params(context, dh_file) == -1) {
            return NULL;
        }
    }
    if (ciphers != NULL) {
        if (SSL_CTX_set_cipher_list(context, ciphers) == 0) {
            return NULL;
        }
    }

    return context;
}

When CA_cert is NULL, no SSL client authentication is done, and everything (HTTPS) works fine. But when I specify a CA certificate via CA_cert, I get a "select certificate" window in IE6, but when I chose a certificate (it is a valid one) the connection gives errors. Some of the HTTP content gets through to the browser, some (like the pictures inside the HTML page) not. The SSL_read() en SSL_write() give me (via SSL_get_error()) the SSL_ERROR_SSL value. I've searched and googled, but I can't find anything that looks like my problem.

I hope anyone can tell what I am doing wrong or point me to some good documentation. Thanks!


P.S.
Sorry for the bad english :)
Reply | Threaded
Open this post in threaded view
|

Re: SSL based client authentication

Goetz Babin-Ebell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snuggles wrote:
> Hi,
Hello Snuggles,

> I'm writing my own webserver and I want it to be able to do SSL based client
> authentication. It can already do HTTPS, but when I try to do the SSL based
> client authentication, the connection gets dropped. I use the following
> routine to bind a SSL socket.
>
> SSL_CTX *ssl_binding(char *keyfile, char *CA_cert, int verify_depth, char
> *dh_file, char *ciphers) {
[...]
>     if (CA_cert != NULL) {
>         SSL_CTX_load_verify_locations(context, CA_cert, NULL);
You have to do a
           SSL_CTX_set_client_CA_list(context,
                                      SSL_load_client_CA_file(CA_cert));
>         SSL_CTX_set_verify_depth(context, verify_depth);
>         SSL_CTX_set_verify(context, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
[...]

> I hope anyone can tell what I am doing wrong or point me to some good
> documentation. Thanks!

see man page of SSL_CTX_set_client_CA_list()

Bye

Goetz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFF5X4J2iGqZUF3qPYRAl/AAJ94+D7tZRwtx7cjIv9UKlaqY6fOkACeKKgw
6hEJI2ZMvHqFlcp4N7l79RI=
=wXuj
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]