client without certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

client without certificate

Stefan Walter-4
I am writing a server without checking the server certificate... the client (written in java) works fine by using s_server as server. i start the s_server by using this command: openssl s_server -accept 1111 -cipher ADH-RC4-MD5
 
i wrote now my own server but i always get following output:
Using default temp DH parameters
Connection from 70da6e53, port dee6
SSL connection using ADH-RC4-MD5
Client does not have certificate.
how can i deactivate the client certificate checking on server side?
 
Kind Regards Stefan
Reply | Threaded
Open this post in threaded view
|

Re: client without certificate

Marek.Marcola
Hello,

> i wrote now my own server but i always get following output:
> Using default temp DH parameters
> Connection from 70da6e53, port dee6
> SSL connection using ADH-RC4-MD5
> Client does not have certificate.
>
> how can i deactivate the client certificate checking on server side?
Client certificate is requested by server when client authentication
is needed (server sends SSL CertificateRequest packet).
This mechanism may be enabled with:
        SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
or disabled (default) with:
        SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
You should check your code or simply use ssldump to check
if your ssl server sends CertificateRequest packet.
If yes, this may help.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: client without certificate

Stefan Walter-4
> Hello,
>
>> i wrote now my own server but i always get following output:
>> Using default temp DH parameters
>> Connection from 70da6e53, port dee6
>> SSL connection using ADH-RC4-MD5
>> Client does not have certificate.
>>
>> how can i deactivate the client certificate checking on server side?
> Client certificate is requested by server when client authentication
> is needed (server sends SSL CertificateRequest packet).
> This mechanism may be enabled with:
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
> or disabled (default) with:
> SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
> You should check your code or simply use ssldump to check
> if your ssl server sends CertificateRequest packet.
> If yes, this may help.
I am using SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); but it seems the
server still want to get a client certificate...

Regards Stefan

>
> Best regards,
> --
> Marek Marcola <[hidden email]>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: client without certificate

Dr. Stephen Henson
In reply to this post by Stefan Walter-4
On Tue, May 09, 2006, Stefan Walter wrote:

> I am writing a server without checking the server certificate... the client (written in java) works fine by using s_server as server. i start the s_server by using this command: openssl s_server -accept 1111 -cipher ADH-RC4-MD5
>
> i wrote now my own server but i always get following output:
> Using default temp DH parameters
> Connection from 70da6e53, port dee6
> SSL connection using ADH-RC4-MD5
> Client does not have certificate.
>
> how can i deactivate the client certificate checking on server side?
>

It seems you are being confused by the "Client does not have certificate."
message. If you've followed the stuff in s_server it will display that message
even if the server does not request a certificate.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: client without certificate

Stefan Walter-4

> On Tue, May 09, 2006, Stefan Walter wrote:
>
>> I am writing a server without checking the server certificate... the
>> client (written in java) works fine by using s_server as server. i start
>> the s_server by using this command: openssl s_server -accept 1111 -cipher
>> ADH-RC4-MD5
>>
>> i wrote now my own server but i always get following output:
>> Using default temp DH parameters
>> Connection from 70da6e53, port dee6
>> SSL connection using ADH-RC4-MD5
>> Client does not have certificate.
>>
>> how can i deactivate the client certificate checking on server side?
>>
>
> It seems you are being confused by the "Client does not have certificate."
> message. If you've followed the stuff in s_server it will display that
> message
> even if the server does not request a certificate.

Thanks a lot, it works! I got really confused abt it!!

>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]