Topic: wolfSSL with client ssl handshake

I am trying to use wolfSSL with my https server which does 2 way ssl handshake or client ssl handshake. When I try with one client its asking for client cert and validates the certificate fine on server side. But when I try with multiple clients its not working

SSL_CTX* ctx;

ctx = SSL_CTX_new(TLSv1_server_method());

InitCyaSSL();
CyaSSL_SetIOSend (ctx, SSLSend);
CyaSSL_SetIORecv (ctx, SSLReceive);
...
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
...
X509* peer = SSL_get_peer_certificate(ssl);
...
...
static int SSLReceive(char *buf, int sz, void *ctx)
static int SSLSend(char *buf, int sz, void *ctx)

Will greatly appreciate if some one can point me to how to setup wolfSSL for my requirement.

Thanks,
Manoj Dhoble

Share

Re: wolfSSL with client ssl handshake

What do you mean by 2 way SSL handshake, do you mean client certificate authentication?  What doesn't work when you try multiple clients?  Can you provide a description of the problem and any error codes that you're getting?  Is your server iterative or concurrent (if so by what design)?  Are you trying multiple clients simultaneously?  A simple example of the problem may prove beneficial.

Share

Re: wolfSSL with client ssl handshake

Yes, by 2 way SSL handshake I mean client certificate authentication. I am using wolfSSL library with my https servers developed in C. At present I am using self-signed certificate (created using openssl) on server side. The client code is developed in Java and its also using self-signed certificates. The server will challenge client for SSL certificate and will validate the certificate provided by client using the chain certificate configured on server side. This flow works fine with one client but as soon as we try with multiple simultaneous clients we see failures. On server side we are doing "X509* peer = SSL_get_peer_certificate(ssl);" to get peer certificate and this is failing in case of multiple simultaneous clients. With just one client we are able to make multiple sequential requests without any problem.

On server side we are doing following

{
SSL_CTX* ctx;
ctx = SSL_CTX_new(TLSv1_server_method());

InitCyaSSL();
CyaSSL_SetIOSend (ctx, SSLSend);  //SSLSend function is defined below
CyaSSL_SetIORecv (ctx, SSLReceive); //SSLReceive function is defined below

SSL_CTX_use_certificate_file(ctx, serverCertFile, SSL_FILETYPE_PEM)
SSL_CTX_use_PrivateKey_file(ctx, serverKeyFile, SSL_FILETYPE_PEM)

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_load_verify_locations(ctx, clientCertChainFile, 0);
...
// Code to accept client connections
SSL* ssl;
SSL_accept(ssl);
...
CyaSSL_SetIOReadCtx (ssl, &io);
CyaSSL_SetIOWriteCtx (ssl, &io);

X509* peer = SSL_get_peer_certificate(ssl);
if(peer != NULL)
      //printf error - This is what is getting printed in case of multiple connections
SSL_shutdown(ssl);
SSL_free(ssl);
...
FreeCyaSSL();
}

*************************************************************************
IO handler for reading from libtask/libevent
***********************************************************************/
        static int SSLReceive(char *buf, int sz, void *ctx)
        {
                SocketIO& io = *(SocketIO*) ctx;
                int recvd = sdread1 (io.fd, buf, sz, io.readtime);
                ....
        }

        /***********************************************************************

                 IO handler for writing to libtask/libevent

        ***********************************************************************/
        static int SSLSend(char *buf, int sz, void *ctx)
        {
                SocketIO& io = *(SocketIO*) ctx;
                int sent = sdwrite(io.fd, buf, sz, io.writetime);
                ...
        }

Will greatly appreciate if you can point me if i am doing some thing wrong, so missing some calls? Thanks

Share

Re: wolfSSL with client ssl handshake

wolfSSL is thread safe, in fact the only part of the library that requires protection is the session cache for session resumption.  That doesn't appear to be the issue here.

Are you using a separate SSL* for each client connection?  Is the concurrent server threaded?  If SSL_get_peer_certificate() isn't returning a cert either SSL_accept() failed or the peer didn't actually send a certificate.  Are you checking the return of SSL_accept().  If everything looks good can you send a wireshark trace of two simultaneous connection attempts that reveals the problem to todd@wolfssl.com?  Thanks.

Share