[Vortex] How to use TLS with client cert?

Mon Dec 24 12:29:33 CET 2007

Hi Jens,

> I want to use TLS to authenticate BEEP sessions. But I want the  
> authentication to be bi-directional: each peer will use a [self- 
> signed] cert, and each peer will check the other's cert. I know TLS  
> supports this, though it's rarely used in a client-server world; 

Sure, it is supported Jens...

> but  
> I'm having trouble getting it to work in Vortex.
> 
> Out of the box, Vortex only seems to have the "server" (listener)
> use  
> a cert. I need to make the "client" send one too, that the listener  
> can check.

That is, the default configuration provided only support server
authentication (only the listener provides a certificate, like https
dones)...

> What I've done so far is to have the initiator call  
> vortex_tls_set_default_ctx_creation, and the TLS context creation  
> callback consists largely of a snippet copied out of Vortex's
> listener  
> code that creates the context and adds the cert and private-key
> files  
> to it. Then after connecting, each side calls  
> vortex_tls_get_peer_ssl_digest to identify its peer.
> 
> The connection gets made OK, but I'm not sure that the "client"'s
> key  
> is being used, because on the listener side the SSL digest comes
> back  
> NULL. Any ideas?
> 
> [I admit I'm a TLS and OpenSSL newbie. I've got an O'Reilly book on  
> order, but it's not here yet.]

A useful order.

You are in the right direction, using the proper functions... 

There is an example that does exactly what you are trying [1]. It is the
documentation associated to the VortexTlsCtxCreation.

This is an initial piece because you must verify state after doing all
TLS voodo using a post checking (VortexTlsPostCheck) at the client
side. 

Cheers!

http://www.aspl.es/fact/files/af-arch/vortex/html/group__vortex__handlers_g95cb6046ad10727a9df7cca75b6ef2dc.html#g95cb6046ad10727a9df7cca75b6ef2dc

> Thanks!
> 
> --Jens
-- 
Francis Brosnan Blazquez <francis at aspl.es>
Advanced Software Production Line, S.L.