Boost Users :

Subject: [Boost-users] asio 1.43 ssl client certificate failure
From: Stephan Menzel (stephan.menzel_at_[hidden])
Date: 2013-06-07 09:53:27

• Next message: Simon: "Re: [Boost-users] [spirit] Compile error when using qi::locals<>"
• Previous message: Anthony Foiani: "Re: [Boost-users] Using boost with 'c' level interfaces ?"
• Next in thread: Stephan Menzel: "Re: [Boost-users] asio 1.43 ssl client certificate failure"
• Reply: Stephan Menzel: "Re: [Boost-users] asio 1.43 ssl client certificate failure"

Hello all,

I am struggling with a bit of an esoteric question and have been debugging
for days now.

Basically, I am outfitting an existing app with asio based ssl HTTPS.
Clients will have to use client authentication. Have my own root CA that
signs both client and server certs. Extensive debugging using OpenSSL's
s_client and s_server tools shows that the certificate trust chain etc is
OK.

Server side works fine with browsers, requests client certificate from
browsers and only allows access if present. Alas, I can't get the client
side to work.

in boost 1.43 asio did not yet have any verification callbacks but it does
have this:

  m_ssl_context.set_options(
         asio::ssl::context::tlsv1_client
       | asio::ssl::context::default_workarounds
  );

  m_ssl_context.set_verify_mode( asio::ssl::context::verify_peer );
  m_ssl_context.load_verify_file( myrootca );
  m_ssl_context.use_certificate_file( myclient_cert,
asio::ssl::context::pem );
  m_ssl_context.use_private_key_file( myclient_key, asio::ssl::context::pem
);

When I debug this using openssl s_server I see the connection failing with
this message:

...
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data
read from -0x7ff81be0 [-0x7ff8e2dd] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 07 .....
read from -0x7ff81be0 [-0x7ff8e2d8] (7 bytes => 7 (0x7))
0000 - 0b 00 00 03 ....
0007 - <SPACES/NULS>
write to -0x7ff81be0 [-0x7ff77a80] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client certificate B
2675716:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate:s3_srvr.c:3274:
ACCEPT

A s_client or browser with the exact same keys can connect. Only asio fails
and only on the client.

Debugging shows that the client won't send the requested SSL certificates
to the server. Also, when I register a verification callback in the impl
like that:

  SSL_CTX *ctx = m_ssl_context.impl();
  SSL *ssl = m_ssl_socket.impl()->ssl;
  SSL_CTX_set_client_cert_cb(ctx, &client_certificate_callback);

and always return 1 in the callback, it still fails. Unfortunately I cannot
upgrade to a post-war boost version and cannot touch OpenSSL either. It is
on Windows here and uses OpenSSL 0.9.8i as far as I can see. Am I screwed?
Or does anyone have an idea?

Much appreciated?

Stephan

• text/html attachment: attachment

• Next message: Simon: "Re: [Boost-users] [spirit] Compile error when using qi::locals<>"
• Previous message: Anthony Foiani: "Re: [Boost-users] Using boost with 'c' level interfaces ?"
• Next in thread: Stephan Menzel: "Re: [Boost-users] asio 1.43 ssl client certificate failure"
• Reply: Stephan Menzel: "Re: [Boost-users] asio 1.43 ssl client certificate failure"

Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net