David Bolen wrote:
Not sure if it helps, but here's some old code of mine where I experimented with the echo SSL examples to add symmetric certificate checking.
Thank you very much for your code. It's useful to see that the peer cert could be interpreted in the _verify callback. And your method to retrieve all X.509 attributes is quite clever. :) But I could not get your SSL server and client to work. At least not completely: After printing the server's certificates (server.pem and ca.pem), the client quits with the following error: _verify (ok=1): ... errnum 0, errdepth 0 connection lost (protocol) connection lost: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown'), ('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')] Maybe there's some problem with my certificates. I had successfully tested them with OpenSSL, though: openssl s_server -accept 9000 -Verify 9 -cert server.pem -CAfile ca.pem openssl s_client -connect localhost:9000 -verify 9 -cert client.pem -CAfile ca.pem (In your code I replaced the "ca/ca.cert" and "ca/all-cas.cert" filenames with "ca.pem".) I get the same error if I use your server and OpenSSL as a client. If you have any idea, I'll be happy to hear from you again. For now I will just use use the second method I mentioned in my original post: getting the peer certificate in dataReceived() instead of connectionMade(). This at least avoids the ugly do_handshake() polling loop I had been using. But there's still some DoS risk because a malicious client could just wait forever before sending any data (and thus before authentication.) Regards Dirk