OpenSSL client: verify that client is valid

zvivered · 11-15-2016, 10:29 AM

Hello,

I found the attached sample code for client side and server side in:
http://h41379.www4.hpe.com/doc/83fin...C2%A0%EF%BF%BD

client side uses the files:
client_ca.crt
client.key
client.crt

server side uses the files:
server.crt
server.key
server_ca.crt

client_ca.crt = server_ca.crt
client_ca.key = server_ca.key

How the server can make sure that a valid client is sending a request ?

In the client side, if "verify_client == ON", the routine:
SSL_CTX_check_private_key ask for a password.
How can avoid it ? I want the client verification to be automatic, without user response.

Thank you,
Z.V

smallpond · 11-16-2016, 03:32 PM

If you don't want to be prompted for a password, then use certs with no password.

zvivered · 11-17-2016, 07:36 AM

Hello,

Attached client, server code.
The server code is copied from OpenSSL wiki.
In this code I did some minor changes in order to turn it to a client code.

In the client side, SSL_connect fails with rc=0. SSL_get_error returns 5.

Can you please tell what is wrong in my client side ?

Upon SSL_connect, SSL_acceopt returns with rc=0. SSL_get_error returns 5.

Thank you in advance,
Z.V

sundialsvcs · 11-17-2016, 09:08 AM

As has been said:

Make sure that verification is set to use only a certificate; to not fall back by any means to a password prompt.
Make sure that the certificates themselves are not encrypted with a password. (If they are, you will be required to enter it.)
You should not use "challenge password," either.

Habitual · 11-17-2016, 09:19 AM

Code:

openssl rsa -in server.key -out server-no-pass.key

should ask for server.key first, Enter it at
Enter password: <key file password>

Next it (-out...) it will ask you to create a password for server-no-pass.key and upon
Enter password: <press enter twice>

use crt and no-pass.key in ssl conf.
Something like this:

Code:

SSLCertificateFile /you/must/edit/me/domain_com_ee.crt
SSLCertificateKeyFile  /etc/pki/tls/private/server-no-pass.key
SSLCACertificateFile /you/must/edit/me/domain_com_apache.crt

Hope that helps.

zvivered · 11-18-2016, 02:39 AM

Hello,

Thank you very much for your help !

Attached my current code for client+server.
I created cert.pem with:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Then I copied cert.pem to the server side.

what key should I use for creating server-no-pass.key ?

Is there a way not to change openssl.cnf ?

Best regards,
Z.V

Habitual · 11-18-2016, 04:42 AM

Quote:

Originally Posted by zvivered

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Then I copied cert.pem to the server side.

what key should I use for creating server-no-pass.key ?

Is there a way not to change openssl.cnf ?

Best regards,
Z.V

You identified them earlier as:

Quote:

Originally Posted by zvivered

server side uses the files:
server.crt
server.key
server_ca.crt

client_ca.crt = server_ca.crt
client_ca.key = server_ca.key

openssl.cnf?
Did you mean /etc/ssl/openssl.cnf ?

I think I should butt out now. Sorry, nothing personal.