It looks like you are trying to set up a root of trust with (1) s_client
and s_server
for testing; and (2) programmatically within your code using OpenSSL.
To ensure openssl s_client
(or openssl s_server
) uses your root, use the following options:
-CAfile
option to specify the root
-cert
option for the certificate to use
-key
option for the private key of the certificate
See the docs on s_client(1) and s_server(1) for details.
To do the same programmatically on the client, you would use:
SSL_CTX_load_verify_locations
to load the trusted root
SSL_CTX_use_certificate
to specify the client certificate
SSL_CTX_use_PrivateKey
to load the private key for the client certificate
To do the same programmatically on the server, you would use:
SSL_CTX_load_verify_locations
to load the trusted root
SSL_CTX_use_certificate_chain_file
to specify the server certificate
SSL_CTX_use_PrivateKey
to load the private key for the server certificate
SSL_CTX_set_client_CA_list
to tell the client to send its client certificate
If you don't want to use the parameters for every connection (i.e. the common context), then set it for each SSL connection with, for example, SSL_use_certificate
and SSL_use_PrivateKey
.
A lot goes on with SSL_CTX_set_client_CA_list
. It (1) loads the CA's to the server uses to verify a client, (2) it causes the server to send a list of CAs it accepts when verifing a client, and (3) it triggers the ClientCertificate
message at the client if the client has a certificate that satisfies the server's accepted CAs list.
Also see the docs on SSL_CTX_load_verify_locations(3), SSL_CTX_use_certificate(3), SSL_CTX_set_client_CA_list and friends.
The easiest certificate and key format to use is PEM. PEM is the one that uses, for example, ----- BEGIN CERTIFICATE -----
. For the server certificate, be sure the file is a concatenation of the server's certificate and any intermediates needed by the client to build the chain.
Having the server send all required certificates is standard practice for a problem known as the "which directory" problem. Its a well known problem in PKI, and its essentially the problem that clients don't know where to go to fetch missing intermediate certificates.
In general, you now know the functions that you need to use. Download a small server like nginx, and see how a production server uses them in practice. You could even use a SQL server like Postgres since it sets up a SSL/TLS server. Simply search the source files for SSL_CTX_load_verify_locations
or SSL_load_verify_locations
, and you will find the right place.
Though I don't recommend it, you could even look at s_client.c
and s_server.c
. They are located in <openssl dir>/apps
. But the code can be difficult to read at times.