SSL_get_peer_certificate(ssl) return NULL?

1
votes

I am beginner. I have problem when use SSL. I find a code c on internet. in server code, have a follow function: 

void ShowCerts(SSL* ssl)
{   X509 *cert;
    char *line;

    cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        free(line);
        X509_free(cert);
    }
    else
        printf("No certificates.\n");
}

when I use command: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem and run ./sslserver.o 443 and then i run ./client localhost 443. server error: "No certificates.". I think reason SSL_get_peer_certificate(ssl) return null but i don't know way to fix it. Can you help? Full code: http://simplestcodings.blogspot.com/2010/08/secure-server-client-using-openssl-in-c.html

1
csslopensslcertificate
Near dupe of (and looks like same code as) stackoverflow.com/questions/40708532/…dave_thompson_085

1 Answers

1
votes

SSL_get_peer_certificates only returns a certificate on the server side if the client has send a certificate. But the code your refer to does not request a client certificate which means that the client will not send one. To request a client certificate the server would need to use SSL_CTX_set_verify and set the mode to at least SSL_VERIFY_PEER, i.e. at the minimum you need to do:

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);

But this will only request an optional client certificate. It will not cause a validation of it. Note that the code example you use is broken in this regard anyway since it does not do any kind of certificate validation. This means it is open to trivial man in the middle attack, i.e. does not provide the security you expect when using SSL. Thus I recommend to not use this code as example on how to write secure SSL client and server.