Stephan, 
thanks to share this


On Tue, Jun 11, 2013 at 11:35 AM, Stephan Menzel <stephan.menzel@gmail.com> wrote:

All right, after much suffering, the answer has been found by Dave Thompson of OpenSSL.

The reason was that my ssl code called all those functions on the OpenSSL context after the socket object (SSL*) was created from it. Which means all those functions did practically nothing or the wrong thing.

All I had to do was call the asio context modifying functions before the socket object is created. Or bypass asio and use the SSL functions on the socket's impl() which is SSL*.

Stephan


On Fri, Jun 7, 2013 at 3:53 PM, Stephan Menzel <stephan.menzel@gmail.com> wrote:
Hello all,

I am struggling with a bit of an esoteric question and have been debugging for days now.

Basically, I am outfitting an existing app with asio based ssl HTTPS. Clients will have to use client authentication. Have my own root CA that signs both client and server certs. Extensive debugging using OpenSSL's s_client and s_server tools shows that the certificate trust chain etc is OK.

Server side works fine with browsers, requests client certificate from browsers and only allows access if present. Alas, I can't get the client side to work.

in boost 1.43 asio did not yet have any verification callbacks but it does have this:

  m_ssl_context.set_options(
         asio::ssl::context::tlsv1_client
       | asio::ssl::context::default_workarounds
  );

  m_ssl_context.set_verify_mode( asio::ssl::context::verify_peer );
  m_ssl_context.load_verify_file( myrootca );
  m_ssl_context.use_certificate_file( myclient_cert, asio::ssl::context::pem );
  m_ssl_context.use_private_key_file( myclient_key, asio::ssl::context::pem );

When I debug this using openssl s_server I see the connection failing with this message:

...
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data
read from -0x7ff81be0 [-0x7ff8e2dd] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 07                                    .....
read from -0x7ff81be0 [-0x7ff8e2d8] (7 bytes => 7 (0x7))
0000 - 0b 00 00 03                                       ....
0007 - <SPACES/NULS>
write to -0x7ff81be0 [-0x7ff77a80] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client certificate B
2675716:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3274:
ACCEPT

A s_client or browser with the exact same keys can connect. Only asio fails and only on the client.

Debugging shows that the client won't send the requested SSL certificates to the server. Also, when I register a verification callback in the impl like that:


  SSL_CTX *ctx = m_ssl_context.impl();
  SSL *ssl = m_ssl_socket.impl()->ssl;
  SSL_CTX_set_client_cert_cb(ctx, &client_certificate_callback);

and always return 1 in the callback, it still fails. Unfortunately I cannot upgrade to a post-war boost version and cannot touch OpenSSL either. It is on Windows here and uses OpenSSL 0.9.8i as far as I can see. Am I screwed? Or does anyone have an idea?

Much appreciated?

Stephan




_______________________________________________
Boost-users mailing list
Boost-users@lists.boost.org
http://lists.boost.org/mailman/listinfo.cgi/boost-users



--
SDM