problem in client authentication

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

problem in client authentication

Samy Thiyagarajan

my last mail seem to be lost somewhere..

Hi all,

Im testing an SSL server with s_client. I  want to implement  client authentication.

The problem is even if I include the certificate and key file in my client call, SSL_get_peer_certificate()
returns NULL

I tried the following calls,

a) S_client -connect ip:port  
b) s_client -connect ip:port -cert clientcert.pem -key clientPrivkey.pem

 ** the certificate is self signed.

here is the piece of code of my server..


SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL );

SSL_accept();

//SSL_accept is successful

X509 *peer;
peer = SSL_get_peer_certificate( ssl );

if( peer == NULL )
{
    errorexit( " cannot get the certificate " );
}
else
{
    if( SSL_get_verify_result( ssl ) == X509_V_OK )
    {
       printf( " certificate OK " );
       // do read and write......
    }
 }


 
 Irrespective of my s_client call ( a or b ) I get the error " cannot get the certificate"
 
 Am I missing something?
 
 Expecting your valuable suggestions..
 
 Thanks in advance.
 
 -Samy

Reply | Threaded
Open this post in threaded view
|

RE: problem in client authentication

Mark-62
> my last mail seem to be lost somewhere..

I got it!
 

> Hi all,
>
> Im testing an SSL server with s_client. I  want to implement  
> client authentication.
>
> The problem is even if I include the certificate and key file
> in my client call, SSL_get_peer_certificate()
> returns NULL
>
> I tried the following calls,
>
> a) S_client -connect ip:port  
> b) s_client -connect ip:port -cert clientcert.pem -key
> clientPrivkey.pem

I would think you would need to specify the root certificate
using the -CAfile option.

Cheers, Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

How to disable id and password check

Chuck Aaron
Can anyone tell me how to disable id and pw checking
when entering a specific web site. I'd like to turn
it completely off.

Thanks,
Chuck


Mark wrote:

>>my last mail seem to be lost somewhere..
>
>
> I got it!
>  
>
>>Hi all,
>>
>>Im testing an SSL server with s_client. I  want to implement  
>>client authentication.
>>
>>The problem is even if I include the certificate and key file
>>in my client call, SSL_get_peer_certificate()
>>returns NULL
>>
>>I tried the following calls,
>>
>>a) S_client -connect ip:port  
>>b) s_client -connect ip:port -cert clientcert.pem -key
>>clientPrivkey.pem
>
>
> I would think you would need to specify the root certificate
> using the -CAfile option.
>
> Cheers, Mark
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

problem in client authentication -no luck

Samy Thiyagarajan
In reply to this post by Mark-62

hi ..
now i created a CA and a certificate signed by it.
my client call is now,
s_client  -connect  ip:port -cert clientcert.pem  -key clientPrivKey.pem  -CAfile cakey.pem

still no development....

can someone look into this issue please...?









"Mark" <[hidden email]>

Sent by:
[hidden email]

10.01.2006 14:12

Please respond to
[hidden email]

To
[hidden email]
cc
Subject
RE: problem in client authentication
Classification





> my last mail seem to be lost somewhere..

I got it!

> Hi all,
>
> Im testing an SSL server with s_client. I  want to implement  
> client authentication.
>
> The problem is even if I include the certificate and key file
> in my client call, SSL_get_peer_certificate()
> returns NULL
>
> I tried the following calls,
>
> a) S_client -connect ip:port  
> b) s_client -connect ip:port -cert clientcert.pem -key
> clientPrivkey.pem

I would think you would need to specify the root certificate
using the -CAfile option.

Cheers, Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: problem in client authentication -no luck

David C. Partridge
You don't want to specify the CA's private key as the argument for -CAfile,
you need to specify the CA certificate for that.

Also an indication of the errors you get would help ...

D.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Samy Thiyagarajan
Sent: 10 January 2006 14:53
To: [hidden email]
Subject: problem in client authentication -no luck


hi ..
now i created a CA and a certificate signed by it.
my client call is now,
s_client  -connect  ip:port -cert clientcert.pem  -key clientPrivKey.pem
-CAfile cakey.pem

still no development....

can someone look into this issue please...?










"Mark" <[hidden email]>

Sent by:
[hidden email]

10.01.2006 14:12
Please respond to
[hidden email]

To
[hidden email]
cc
Subject
RE: problem in client authentication
Classification

       




> my last mail seem to be lost somewhere..

I got it!

> Hi all,
>
> Im testing an SSL server with s_client. I  want to implement  
> client authentication.
>
> The problem is even if I include the certificate and key file
> in my client call, SSL_get_peer_certificate()
> returns NULL
>
> I tried the following calls,
>
> a) S_client -connect ip:port  
> b) s_client -connect ip:port -cert clientcert.pem -key
> clientPrivkey.pem

I would think you would need to specify the root certificate
using the -CAfile option.

Cheers, Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem in client authentication -no luck

Peter Sylvester-3
In reply to this post by Samy Thiyagarajan
Samy Thiyagarajan wrote:

>
> hi ..
> now i created a CA and a certificate signed by it.
> my client call is now,
> s_client  -connect  ip:port -cert clientcert.pem  -key
> clientPrivKey.pem  -CAfile cakey.pem
>
> still no development....
>
> can someone look into this issue please...?
The CAfile for tjhe openssl s_client command is used to authenticate the
SERVER.

You need load the CA certificate in your server. Look at the source code
of s_server.c
etc

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

client authentication - error message included

Samy Thiyagarajan
In reply to this post by David C. Partridge

Thanks  for ur response..

the error messages of client and server are follows..

client :
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48

server:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate  returned : s3_srvr.c:2015


in my s_client call i correctly specified the CAfile path.
S_client  -connect ip:port  -cert clientcert.pem  -key clientPrivKey.pem  -CAfile  /../../demoCA/cacert.pem

so is the client not able to locate the CAfile ..? if yes i wonder why?
Do I need to explicitly define somewhere in my server program that this CA is trusted..?

Awaiting for the suggestions
Reply | Threaded
Open this post in threaded view
|

Re: How to disable id and password check

Kyle Hamilton
In reply to this post by Chuck Aaron
This is an Apache query, not an OpenSSL query.  Please ask on the
apache-users mailing list.

-Kyle

On 1/10/06, Chuck Aaron <[hidden email]> wrote:

> Can anyone tell me how to disable id and pw checking
> when entering a specific web site. I'd like to turn
> it completely off.
>
> Thanks,
> Chuck
>
>
> Mark wrote:
> >>my last mail seem to be lost somewhere..
> >
> >
> > I got it!
> >
> >
> >>Hi all,
> >>
> >>Im testing an SSL server with s_client. I  want to implement
> >>client authentication.
> >>
> >>The problem is even if I include the certificate and key file
> >>in my client call, SSL_get_peer_certificate()
> >>returns NULL
> >>
> >>I tried the following calls,
> >>
> >>a) S_client -connect ip:port
> >>b) s_client -connect ip:port -cert clientcert.pem -key
> >>clientPrivkey.pem
> >
> >
> > I would think you would need to specify the root certificate
> > using the -CAfile option.
> >
> > Cheers, Mark
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

error : unknown ca :(

Samy Thiyagarajan
In reply to this post by Samy Thiyagarajan

hi all..

I got stuck up with the following error..
client :
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48


 'verify ' command returns OK  ( for both options  -CApath , -CAfile )

** when i tested s_client (with the same certificates and CA path )against s_server ( with -Verify option ).. it successfully communicates.. !!

But still my client report the above mentioned error when I test with my server programm. If i hav some bug in my server prog..is the error message is misleading..?

Some assistance HIGHLY appreciated..

Reply | Threaded
Open this post in threaded view
|

Re: error : unknown ca :(

Dr. Stephen Henson
On Wed, Jan 11, 2006, Samy Thiyagarajan wrote:

> hi all..
>
> I got stuck up with the following error..
> client :
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca:s3_pkt.c:1052:SSL alert number 48
>
>  'verify ' command returns OK  ( for both options  -CApath , -CAfile )
>
> ** when i tested s_client (with the same certificates and CA path )against
> s_server ( with -Verify option ).. it successfully communicates.. !!
>
> But still my client report the above mentioned error when I test with my
> server programm. If i hav some bug in my server prog..is the error message
> is misleading..?
>
> Some assistance HIGHLY appreciated..
>

That message means the server cannot verify the client certificate being sent
to it. You need to trust the client certificate root CA and make sure any
intermediate certificates are included by the client.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

thanks

Samy Thiyagarajan


hi ,

thanks for the inputs..it worked..
:)








"Dr. Stephen Henson" <[hidden email]>

Sent by:
[hidden email]

11.01.2006 13:42

Please respond to
[hidden email]

To
[hidden email]
cc
Subject
Re: error : unknown ca  :(
Classification





On Wed, Jan 11, 2006, Samy Thiyagarajan wrote:

> hi all..
>
> I got stuck up with the following error..
> client :
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca:s3_pkt.c:1052:SSL alert number 48
>
>  'verify ' command returns OK  ( for both options  -CApath , -CAfile )
>
> ** when i tested s_client (with the same certificates and CA path )against
> s_server ( with -Verify option ).. it successfully communicates.. !!
>
> But still my client report the above mentioned error when I test with my
> server programm. If i hav some bug in my server prog..is the error message
> is misleading..?
>
> Some assistance HIGHLY appreciated..
>

That message means the server cannot verify the client certificate being sent
to it. You need to trust the client certificate root CA and make sure any
intermediate certificates are included by the client.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]