验证SSL客户端真实性失败，原因是SSL3_GET_CLIENT_CERTIFICATE：未返回任何证书 [英] Verifying SSL client authenticity fails due to SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

问题描述

我使用OpenSSL API for C ++。通信是在嵌入式Linux设备（SSL服务器）和Windows软件（SSL客户端）之间进行。

I am using OpenSSL API for C++. Communication is between an embedded linux device (SSL server) and Windows software (SSL client).

我想确保预期的服务器和客户端只会相互通话。我已为服务器生成了根密钥，以及以下内容：

I want to ensure that the intended server and client will only speak to one another. I have generated a root key for the server, along with the following:

• 根CA授权服务器）


• 服务器证书


• 服务器私钥

只有在握手期间授权服务器证书时，我的SSL连接才能正常工作。

My SSL connection works fine when only authorizing the server certificate during handshaking.

但是，我还要验证客户端的真实性， 客户端以及以下内容：

However, I also want to verify client authenticity, so I generated another root key for the client, along with the following:

• 根CA（由服务器用于授权客户端）


• 客户端证书


• 客户端私钥

由于发生以下错误，我的服务器无法接受客户端连接：

Using the code below, my server fails to accept the client connection due to the following error:

724428760：错误：140890B2：SSL例程：SSL3_GET_CLIENT_CERTIFICATE：no证书已退回：s3_srvr.c：3291：

724428760:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:3291:

这是我的与SSL证书相关的服务器代码：

Here is my server code related to SSL certificates:

bool SSLServer::loadCertificates(const char * sCertFile,
                                 const char * sKeyFile,
                                 const char * sCAFile)
{
    // set server certificate
    if (SSL_CTX_use_certificate_file(_pCTX, sCertFile, SSL_FILETYPE_PEM) <= 0)
    {
        ERR_print_errors_fp(stderr);
        return false;
    }

    // set the private key
    if (SSL_CTX_use_PrivateKey_file(_pCTX, sKeyFile, SSL_FILETYPE_PEM) <= 0)
    {
        ERR_print_errors_fp(stderr);
        return false;
    }

    // verify private key
    if (!SSL_CTX_check_private_key(_pCTX))
    {
        qWarning() << "Private key does not match the public certificate.";
        return false;
    }

    SSL_CTX_set_verify(_pCTX, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

    // load the trusted client CA certificate into context
    if (SSL_CTX_load_verify_locations(_pCTX, sCAFile, NULL) != 1)
    {
        ERR_print_errors_fp(stderr);
        return false;
    }

    // allow this CA to be sent to the client during handshake
    STACK_OF(X509_NAME) * list = SSL_load_client_CA_file(sCAFile);
    if (NULL == list)
    {
        qWarning() << "Failed to load SSL client CA file.";
        return false;
    }
    SSL_CTX_set_client_CA_list(_pCTX, list);
    SSL_CTX_set_verify_depth(_pCTX, 1);

    return true;
}

这里是我的客户端代码：

And here is my client code:

bool SSLClient::LoadCertificates(const char * sCAFile,
                                 const char * sClientCertFile,
                                 const char * sClientKeyFile)
{
    ASSERT(NULL != sCAFile && NULL != sClientCertFile && NULL != sClientKeyFile);

    // load RSA CA certificate into context to let client verify server's authenticity
    // (will be used with server certificate and private key)
    if (!SSL_CTX_load_verify_locations(_pCTX, sCAFile, NULL))
    {
        ERR_print_errors_fp(stderr);
        return false;
    }

    // load client certificate into context to let server verify client's authenticity
    // (will be used with server's RSA CA certificate)
    if (SSL_CTX_use_certificate_file(_pCTX, sClientCertFile, SSL_FILETYPE_PEM) != 1)
    {
        ERR_print_errors_fp(stderr);
        return false;
    }

    // load client certificate private key into context
    if (SSL_CTX_use_PrivateKey_file(_pCTX, sClientKeyFile, SSL_FILETYPE_PEM) != 1)
    {
        ERR_print_errors_fp(stderr);
        return false;
    }

    // verify that client cert and private key match
    if (!SSL_CTX_check_private_key(_pCTX))
    {
        OutputDebugString("Private key does not match the certificate public key\n");
        return false;
    }

    // require server certificate verification
    SSL_CTX_set_verify(_pCTX, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
    SSL_CTX_set_verify_depth(_pCTX, 1);

    return true;
}

再次，如果我删除与验证客户端证书相关的代码， 。

Again, it works completely fine if I remove the code related to verifying client certificate. Am I missing something, or doing something completely wrong?

推荐答案

您的代码的工作副本以及证书： http://files.webfile.ru/567c28b8973091cbdad036f3e43e989b

Working copy of your code along with certificates: http://files.webfile.ru/567c28b8973091cbdad036f3e43e989b

您的如果生成证书只是回答回答问题可以重现问题。你会得到自签名证书，没有任何意图。问题就像 OpenSSL - 错误18在0深度查找：自签名证书
当侦听ssl问题时，你应该使用不是wireshark但ssldump。

Exactly your problem can be reproduced if generate certificates just hitting 'enter' answering questions. You'll got 'self-signed' certificate without any intention to make it. Problem exactly like OpenSSL - error 18 at 0 depth lookup:self signed certificate When snooping ssl problems you should use not wireshark but ssldump.

这篇关于验证SSL客户端真实性失败，原因是SSL3_GET_CLIENT_CERTIFICATE：未返回任何证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！