|
Boost Users : |
Subject: Re: [Boost-users] asio 1.43 ssl client certificate failure
From: Stephan Menzel (stephan.menzel_at_[hidden])
Date: 2013-06-11 05:35:06
All right, after much suffering, the answer has been found by Dave Thompson
of OpenSSL.
The reason was that my ssl code called all those functions on the OpenSSL
context after the socket object (SSL*) was created from it. Which means all
those functions did practically nothing or the wrong thing.
All I had to do was call the asio context modifying functions before the
socket object is created. Or bypass asio and use the SSL functions on the
socket's impl() which is SSL*.
Stephan
On Fri, Jun 7, 2013 at 3:53 PM, Stephan Menzel <stephan.menzel_at_[hidden]>wrote:
> Hello all,
>
> I am struggling with a bit of an esoteric question and have been debugging
> for days now.
>
> Basically, I am outfitting an existing app with asio based ssl HTTPS.
> Clients will have to use client authentication. Have my own root CA that
> signs both client and server certs. Extensive debugging using OpenSSL's
> s_client and s_server tools shows that the certificate trust chain etc is
> OK.
>
> Server side works fine with browsers, requests client certificate from
> browsers and only allows access if present. Alas, I can't get the client
> side to work.
>
> in boost 1.43 asio did not yet have any verification callbacks but it does
> have this:
>
> m_ssl_context.set_options(
> asio::ssl::context::tlsv1_client
> | asio::ssl::context::default_workarounds
> );
>
> m_ssl_context.set_verify_mode( asio::ssl::context::verify_peer );
> m_ssl_context.load_verify_file( myrootca );
> m_ssl_context.use_certificate_file( myclient_cert,
> asio::ssl::context::pem );
> m_ssl_context.use_private_key_file( myclient_key,
> asio::ssl::context::pem );
>
> When I debug this using openssl s_server I see the connection failing with
> this message:
>
> ...
> SSL_accept:SSLv3 write certificate request A
> SSL_accept:SSLv3 flush data
> read from -0x7ff81be0 [-0x7ff8e2dd] (5 bytes => 5 (0x5))
> 0000 - 16 03 01 00 07 .....
> read from -0x7ff81be0 [-0x7ff8e2d8] (7 bytes => 7 (0x7))
> 0000 - 0b 00 00 03 ....
> 0007 - <SPACES/NULS>
> write to -0x7ff81be0 [-0x7ff77a80] (7 bytes => 7 (0x7))
> 0000 - 15 03 01 00 02 02 28 ......(
> SSL3 alert write:fatal:handshake failure
> SSL_accept:error in SSLv3 read client certificate B
> 2675716:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
> not return a certificate:s3_srvr.c:3274:
> ACCEPT
>
> A s_client or browser with the exact same keys can connect. Only asio
> fails and only on the client.
>
> Debugging shows that the client won't send the requested SSL certificates
> to the server. Also, when I register a verification callback in the impl
> like that:
>
>
> SSL_CTX *ctx = m_ssl_context.impl();
> SSL *ssl = m_ssl_socket.impl()->ssl;
> SSL_CTX_set_client_cert_cb(ctx, &client_certificate_callback);
>
> and always return 1 in the callback, it still fails. Unfortunately I
> cannot upgrade to a post-war boost version and cannot touch OpenSSL either.
> It is on Windows here and uses OpenSSL 0.9.8i as far as I can see. Am I
> screwed? Or does anyone have an idea?
>
> Much appreciated?
>
> Stephan
>
>
>
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net