openssl api to disable authentication

Question

Have a simple server and client that uses openssl. Application program is in C++ and uses openssl-1.1.0g source code that I built myself. The simple case where I supply client and server certificates and private keys is working fine. Handshake happens fine and data transfer works great too. Now I have two more requirements:

Need to disable client authentication on server. client will have a CA certificate but no private key. Client will do server auth.

Don't know how to tell openssl api not to ask for client certificate

[Update] This is fixed. In the conf file, under the client section tried using keyword VerifyCAFile for CA certificate and removed the PrivateKey. Got handshake success without any code change.
Disable client and server auth. Both sides doesn't have certificate or private keys.

Tried using anon section in the conf file which doesn't have the certificate or the key specified. Also set the cipher string is aNULL in this section of the conf file. aNULL is the list of all anonymous ciphers according the page here:

https://www.openssl.org/docs/man1.1.0/apps/ciphers.html

But this doesn't work.

Here is the setup -

Server:

SSL_CTX_new(TLS_server_method())       - create server ctx
CONF_modules_load_file                 - load conf file
SSL_CTX_config                         - get section for server
BIO_new_socket((int)socket, BIO_CLOSE) - create socket BIO
SSL_new(ctx)                           - create ssl
SSL_set_bio                            - set bio in ssl
SSL_set_accept_state(_ssl);            - set accept for server
SSL_do_handshake                       - do handshake

Client:

SSL_CTX_new(TLS_client_method())       - create server ctx
CONF_modules_load_file                 - load conf file
SSL_CTX_config                         - get section for client
BIO_new_socket((int)socket, BIO_CLOSE) - create socket BIO
SSL_new(ctx)                           - create ssl
SSL_set_bio                            - set bio in ssl
SSL_set_connect_state(ssl)             - set connect for client
SSL_do_handshake                       - do handshake

Conf file:

testApp = test_sect

[test_sect]
# list of configuration modules

ssl_conf = ssl_sect

[ssl_sect]

server = server_section
client = client_section
anon = anon_section

[server_section]
CipherString = DEFAULT
Certificate = <path to server.cer>
PrivateKey  = <path to server.key>

[client_section]
CipherString = DEFAULT
Certificate = <path to client.cer>
PrivateKey  = <path to client.key>

[anon_section]
CipherString = aNULL

Check [this](https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store) — Victor Gubin, Mar 15 '18 at 19:31

stark · Answer 1 · 2018-03-16T14:07:45.560

0

On the server, you want something like:

SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);

I thought this was the default, however.

edited Mar 16 '18 at 14:07

answered Mar 15 '18 at 19:44

stark

12,615
3
33
50

Tried this SSL_set_verify(_ssl, SSL_VERIFY_NONE, NULL); SSL_verify_cb seems to be a pointer – Pokemon Go Mar 15 '18 at 20:35
Sorry. SSL-set_verify is the right call. Fixed. Should be done before the handshake. – stark Mar 16 '18 at 14:08
Like you suspected SSL_VERIFY_NONE is default. Original issue with my conf file was that VerifyCAFile and VerifyMode were missing. Once I specified the VerifyCAFile and set VerifyMode to Peer on the client side first requirement was met. Now only issue remaining is how to remove VerifyCAFile, Certificate and PrivateKey from both client and server and still make the handshake succeed. Any suggestions are welcome. Thanks for your suggestions.. – Pokemon Go Mar 19 '18 at 17:26

openssl api to disable authentication

1 Answers1