|
Boost Users : |
Subject: Re: [Boost-users] asio 1.43 ssl client certificate failure
From: salvatore dario minonne (dario.minonne_at_[hidden])
Date: 2013-06-11 05:39:07
Stephan,
thanks to share this
On Tue, Jun 11, 2013 at 11:35 AM, Stephan Menzel
<stephan.menzel_at_[hidden]>wrote:
> All right, after much suffering, the answer has been found by Dave
> Thompson of OpenSSL.
>
> The reason was that my ssl code called all those functions on the OpenSSL
> context after the socket object (SSL*) was created from it. Which means all
> those functions did practically nothing or the wrong thing.
>
> All I had to do was call the asio context modifying functions before the
> socket object is created. Or bypass asio and use the SSL functions on the
> socket's impl() which is SSL*.
>
> Stephan
>
>
> On Fri, Jun 7, 2013 at 3:53 PM, Stephan Menzel <stephan.menzel_at_[hidden]>wrote:
>
>> Hello all,
>>
>> I am struggling with a bit of an esoteric question and have been
>> debugging for days now.
>>
>> Basically, I am outfitting an existing app with asio based ssl HTTPS.
>> Clients will have to use client authentication. Have my own root CA that
>> signs both client and server certs. Extensive debugging using OpenSSL's
>> s_client and s_server tools shows that the certificate trust chain etc is
>> OK.
>>
>> Server side works fine with browsers, requests client certificate from
>> browsers and only allows access if present. Alas, I can't get the client
>> side to work.
>>
>> in boost 1.43 asio did not yet have any verification callbacks but it
>> does have this:
>>
>> m_ssl_context.set_options(
>> asio::ssl::context::tlsv1_client
>> | asio::ssl::context::default_workarounds
>> );
>>
>> m_ssl_context.set_verify_mode( asio::ssl::context::verify_peer );
>> m_ssl_context.load_verify_file( myrootca );
>> m_ssl_context.use_certificate_file( myclient_cert,
>> asio::ssl::context::pem );
>> m_ssl_context.use_private_key_file( myclient_key,
>> asio::ssl::context::pem );
>>
>> When I debug this using openssl s_server I see the connection failing
>> with this message:
>>
>> ...
>> SSL_accept:SSLv3 write certificate request A
>> SSL_accept:SSLv3 flush data
>> read from -0x7ff81be0 [-0x7ff8e2dd] (5 bytes => 5 (0x5))
>> 0000 - 16 03 01 00 07 .....
>> read from -0x7ff81be0 [-0x7ff8e2d8] (7 bytes => 7 (0x7))
>> 0000 - 0b 00 00 03 ....
>> 0007 - <SPACES/NULS>
>> write to -0x7ff81be0 [-0x7ff77a80] (7 bytes => 7 (0x7))
>> 0000 - 15 03 01 00 02 02 28 ......(
>> SSL3 alert write:fatal:handshake failure
>> SSL_accept:error in SSLv3 read client certificate B
>> 2675716:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
>> not return a certificate:s3_srvr.c:3274:
>> ACCEPT
>>
>> A s_client or browser with the exact same keys can connect. Only asio
>> fails and only on the client.
>>
>> Debugging shows that the client won't send the requested SSL certificates
>> to the server. Also, when I register a verification callback in the impl
>> like that:
>>
>>
>> SSL_CTX *ctx = m_ssl_context.impl();
>> SSL *ssl = m_ssl_socket.impl()->ssl;
>> SSL_CTX_set_client_cert_cb(ctx, &client_certificate_callback);
>>
>> and always return 1 in the callback, it still fails. Unfortunately I
>> cannot upgrade to a post-war boost version and cannot touch OpenSSL either.
>> It is on Windows here and uses OpenSSL 0.9.8i as far as I can see. Am I
>> screwed? Or does anyone have an idea?
>>
>> Much appreciated?
>>
>> Stephan
>>
>>
>>
>
> _______________________________________________
> Boost-users mailing list
> Boost-users_at_[hidden]
> http://lists.boost.org/mailman/listinfo.cgi/boost-users
>
-- SDM
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net