当我尝试在服务器端验证客户端证书时。但是SSL_get_peer_certificate总是返回NULL,即使客户端发送了正确的证书(在wireshark日志中确认)。你能帮忙提些建议吗? 我阅读了stackoverflow中的所有实际案例,但仍然找不到原因。
服务器代码:
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
SSL_CTX_set_options(ssl_ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
if(!SSL_CTX_use_certificate_file(ssl_ctx, serverCert_filename,SSL_FILETYPE_PEM)
|| !SSL_CTX_use_PrivateKey_file(ssl_ctx, serverKey_filename, SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ssl_ctx))
{
ERR_print_errors_fp(stderr);
}
if (!SSL_CTX_load_verify_locations(ssl_ctx, serverCertRoot_filename, NULL))
{
print error info.
}
SSL_CTX_use_certificate_chain_file(ssl_ctx, serverCert_filename) ;
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
cert_names = SSL_load_client_CA_file(serverCertRoot_filename);//serverCert_filename //clientCert_filename //serverCertRoot_filename
if (cert_names != NULL)
{
SSL_CTX_set_client_CA_list(ssl_ctx, cert_names);
}
SSL_CTX_set_verify_depth(ssl_ctx, 10);
....
ssl = SSL_new(ssl_ctx);
X509* cert = NULL;
cert = SSL_get_peer_certificate(ssl);
//here, cert always is NULL
int res = SSL_get_verify_result(ssl);
客户代码: //客户可以很好地工作。
ctx = SSL_CTX_new(method);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(ctx, 10);
if (!SSL_CTX_use_certificate_file(ctx, clientCert_filename, SSL_FILETYPE_PEM)
|| !SSL_CTX_use_PrivateKey_file(ctx, clientKey_filename, SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ctx))
{
ERR_print_errors_fp(stderr);
}
if (!SSL_CTX_load_verify_locations(ctx, clientCertRoot_filename, NULL))
errhandle.
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
....
ssl = SSL_new(ssl_ctx);
peer_cert = SSL_get_peer_certificate(ssl);
int res = SSL_get_verify_result(ssl);