I have a working application that establishes an SSL connection to the server. The server uses a self-signed certificate, and the client downloads the certificate authority's chain of authority to indicate that the server is OK to trust. I did this with the following code on the client:
SSL_METHOD* method = TLSv1_client_method();
_ctx = SSL_CTX_new(method);
if ( SSL_CTX_load_verify_locations(_ctx, "ca-all.crt", NULL) != 1 )
{
return false;
}
_ssl = SSL_new(_ctx);
int val = SSL_set_fd(_ssl, _socket->GetFD());
if ( val != SSL_SUCCESS )
{
int err = SSL_get_error(_ssl, val);
return false;
}
val = SSL_connect(_ssl);
And on the server:
if ( SSL_CTX_use_certificate_chain_file( g_ctx, "ca-chain1.crt" ) <= 0 ) {
return 1;
}
ppem_file = getenv( "PEM_FILE" );
if ( ppem_file == NULL ) {
ppem_file = pem_file;
}
if ( SSL_CTX_use_certificate_file( g_ctx, ppem_file,
SSL_FILETYPE_PEM ) <= 0 ) {
return 1;
}
if ( SSL_CTX_use_PrivateKey_file( g_ctx, ppem_file,
SSL_FILETYPE_PEM ) <= 0 ) {
return 2;
}
I am trying to change this code so that the server also validates the peer client certificate (self-signed, using the same issuer as the server) and has some problems. I have not found good “conceptual review” documentation anywhere, and this seems like a typical hurdle for OpenSSL libraries.
On the client, I added this after calling SSL_CTX_load_verify_locations ():
if ( SSL_CTX_use_certificate_file(_ctx, "generic_client.pem", SSL_FILETYPE_PEM ) != 1 )
{
return false;
}
On the server, I added this after calling SSL_CTX_use_PrivateKey_file ():
STACK_OF(X509_NAME) *list;
list = SSL_load_client_CA_file( "ca_chain2.crt" );
if( list == NULL ) {
return 4;
}
SSL_CTX_set_client_CA_list( g_ctx, list );
SSL_CTX_set_verify( g_ctx, SSL_VERIFY_PEER, NULL );
, . , , , SSL_CTX_set_verify, ( ).
, , . ?
:
openssl verify -CAfile ca-chain2.crt generic_client.pem
, , - .