2

I have set up my client-server communication using OpenSSL and my server is sending it's certificate. Now, I want to make my client send a certificate to the server as well. On my client side, i have the following code:

ctx = InitCTX();
LoadCertificates(ctx, "clientCert.pem", "clientCert.pem"); /* load certs */ 
server = OpenConnection(hostname, atoi(portnum));
ssl = SSL_new(ctx);      /* create new SSL connection state */
SSL_set_fd(ssl, server);    /* attach the socket descriptor */

and this is my LoadCertificates function:

void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
    printf("Certificate attached.\n");
}

I have the same LoadCertificates function on the server side, and that seems to be working perfectly.

However, my client-side certificate is not getting detected on the server side. Is there anything different I need to do on the client side to send a certificate across?

I made modifications to the client code using the code from here as base: http://simplestcodings.blogspot.in/2010/08/secure-server-client-using-openssl-in-c.html

jww
  • 97,681
  • 90
  • 411
  • 885
Randomly Named User
  • 1,889
  • 7
  • 27
  • 47

2 Answers2

1

... my client-side certificate is not getting detected on the server side. Is there anything different I need to do on the client side to send a certificate across?

The server needs to call SSL_CTX_set_client_CA_list. It tells the server to send a list of Distinguished Names (DN) which it accepts for client authentication.

The server will need to call SSL_CTX_load_verify_locations (or friends). This is where the server actually trusts the CAs in the list sent to the client.

Finally, the server should call SSL_CTX_set_verify and set both SSL_VERIFY_PEER and SSL_VERIFY_FAIL_IF_NO_PEER_CERT.

jww
  • 97,681
  • 90
  • 411
  • 885
0

I guess that the certificate is sent but was not accepted by the server, that is it could not be verified against the trusted CA at the server. The error message on the server side about no certificate returned might be misleading, see https://stackoverflow.com/a/27951490/3081018.

I would suggest to check with wireshark or openssl s_server to see if the certificate is not sent or if it is just not accepted by the peer.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172