EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Handshake with Client Certificate

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 03/02/2009 21:43:57
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I am using SSLSecureBlackbox on a VB6 client. I have an OpenSSL server written in C. The server is setup to require client certs. On the client side i am loading the clint.pem file using LoadFromBufferPEM.
I do this on the Client_OnCertificateNeededEx event.

If sendcert Then
   Set SSLCertificate = CreateObject("BaseBBox6.ElCertificateX")
   Call OpenFileForRead(infile, App.Path + "\client.pem")
   Size = LOF(infile)
   Call BlockRead(infile, Buf, Size)
   Close infile
   Call SSLCertificate.LoadFromBufferPEM(Buf, "password")

   Set Certificate = SSLCertificate
   sendcert = False
   Set Certificate = Nothing
End If

The server throws an error
74034:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2564:

Is there anything else i should do to send down the cert?

Posted: 03/02/2009 23:31:39
by Ken Ivanov (Team)

It is likely that the client.pem file does not contain a private key (or the password provided is not valid). If you are sure that it is there, please check if SimpleSSLDemo is able to authentication with your certificate.
Posted: 03/03/2009 08:43:36
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I tried the SimpleSSLDemo project. it did not work. i get the same error. I also created a PKCS12 file this time using the command
openssl pkcs12 -export -in clientcert.pem -inkey clientkey.pem -out client.pfx

The client.pfx contains both the cert and the key.
Posted: 03/03/2009 08:57:04
by Ken Ivanov (Team)

Can you please check the SSLCertificate.PrivateKeyExists property right after the certificate is loaded?
Posted: 03/03/2009 09:02:04
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

Yes, the Property is set to TRUE
Posted: 03/03/2009 09:24:22
by Ken Ivanov (Team)

The server may require a complete certificate chain to be provided (up to the root CA certificate). Did you have a chance to try to connect to the server with some other client software?

BTW, please check that TLS1.1 and TLS1.2 versions are disabled on a client, as some servers have difficulties with understanding them.
Posted: 03/03/2009 10:21:38
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I have a client written in C which uses OpenSSL and that can load the client cert and send it to the server.

I disabled the TLS options
Client.DisableVersion SB_TLS_11
Client.DisableVersion SB_TLS_12

It did not work
Posted: 03/03/2009 12:59:24
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I was able to get that working.
I recreated my certs using the following. Might help others.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
cat server.crt server.key > server.pem
openssl x509 -subject -issuer -noout -in server.pem
cat ca.crt ca.key > ca.pem
openssl x509 -subject -issuer -noout -in ca.pem
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
cat client.crt client.key > client.pem
openssl x509 -subject -issuer -noout -in client.pem

Posted: 03/09/2009 15:05:32
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

How to send the client certificate using the EISecureClient for ActiveX. The EISecureClient fires OnCertificateNeededEx event, but since this is not implemented in EISecureClient, how do i acheive this.
I also looked at the SopisticatedSSLClient example.
Posted: 03/10/2009 10:01:36
by Ken Ivanov (Team)

OnCertificateNeededEx is actually supported by ElSecureClientX (it is a documentation issue). I have reported the problem to the techwriter.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 2868 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!