Hello all,

I am struggling with a bit of an esoteric question and have been debugging for days now.

Basically, I am outfitting an existing app with asio based ssl HTTPS. Clients will have to use client authentication. Have my own root CA that signs both client and server certs. Extensive debugging using OpenSSL's s_client and s_server tools shows that the certificate trust chain etc is OK.

Server side works fine with browsers, requests client certificate from browsers and only allows access if present. Alas, I can't get the client side to work.

in boost 1.43 asio did not yet have any verification callbacks but it does have this:

  m_ssl_context.set_options(
         asio::ssl::context::tlsv1_client
       | asio::ssl::context::default_workarounds
  );

  m_ssl_context.set_verify_mode( asio::ssl::context::verify_peer );
  m_ssl_context.load_verify_file( myrootca );
  m_ssl_context.use_certificate_file( myclient_cert, asio::ssl::context::pem );
  m_ssl_context.use_private_key_file( myclient_key, asio::ssl::context::pem );

When I debug this using openssl s_server I see the connection failing with this message:

...
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data
read from -0x7ff81be0 [-0x7ff8e2dd] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 07                                    .....
read from -0x7ff81be0 [-0x7ff8e2d8] (7 bytes => 7 (0x7))
0000 - 0b 00 00 03                                       ....
0007 - <SPACES/NULS>
write to -0x7ff81be0 [-0x7ff77a80] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client certificate B
2675716:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3274:
ACCEPT

A s_client or browser with the exact same keys can connect. Only asio fails and only on the client.

Debugging shows that the client won't send the requested SSL certificates to the server. Also, when I register a verification callback in the impl like that:


  SSL_CTX *ctx = m_ssl_context.impl();
  SSL *ssl = m_ssl_socket.impl()->ssl;
  SSL_CTX_set_client_cert_cb(ctx, &client_certificate_callback);

and always return 1 in the callback, it still fails. Unfortunately I cannot upgrade to a post-war boost version and cannot touch OpenSSL either. It is on Windows here and uses OpenSSL 0.9.8i as far as I can see. Am I screwed? Or does anyone have an idea?

Much appreciated?

Stephan