0

I am trying to perform following:

Generate Client Certificate,Key,Bundle Generate Server Certificate,Key,Bundle

And I am trying to perform:

-Client verification of server Certificate

-Server side verification of Client Certificate Using POCO-HTTPS.

Client verifies the certificate(Server) Successfully But Server Fails to Verify the Client certificate and i get "Certificate Validation Error Unacceptable certificate from 127.0.0.1: Application verification failure.

Used the https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html for client and server certificate/key/CSR generation on Ubuntu Code:

Client Code:

**while(1){
    try{
        SharedPtr<PrivateKeyPassphraseHandler> pConsoleHandler = new KeyConsoleHandler(true);
        SharedPtr<InvalidCertificateHandler> pInvalidCertHandler = new ConsoleCertificateHandler(true);     
        Poco::Net::Context::Ptr m_pContext = new Poco::Net::Context( Poco::Net::Context::CLIENT_USE,"client.key.pem","client.cert.pem","ca-chain.cert.pem",Poco::Net::Context::VERIFY_STRICT);                  
        Poco::Net::SSLManager::instance().initializeClient(pConsoleHandler, pInvalidCertHandler, m_pContext);

        Poco::Net::HTTPSClientSession *m_HTTPClientSession = new Poco::Net::HTTPSClientSession(host,65157,m_pContext);          
        std::string version("HTTP/1.1");
        Poco::Net::HTTPRequest request("GET","/small",version); 
        request.setKeepAlive(m_HTTPClientSession->getKeepAlive());  
        request.write(std::cout);       

        std::ostream& outstream = m_HTTPClientSession->sendRequest(request);
        Poco::Net::HTTPResponse response;
        response.setKeepAlive(m_HTTPClientSession->getKeepAlive());
        std::istream& respStream =  m_HTTPClientSession->receiveResponse(response);                                                                     
        response.write(std::cout);
    }
    catch(Poco::Exception &exc)
    {
        std::cout << "::" << "HTTPClientConnection::ServiceConnection()" << "::" << " Exception while sending the request for client session ::" << exc.displayText().c_str() << std::endl;                             
    }**

Server Code:

*try { SharedPtr pConsoleHandler = new KeyConsoleHandler(true); SharedPtr pInvalidCertHandler = new ConsoleCertificateHandler(true); 

    Poco::Net::Context::Ptr pServerContext = new Poco::Net::Context(
    Poco::Net::Context::SERVER_USE, 
    "localhost.key.pem",
    "localhost.cert.pem",
    "ca-chain.cert.pem",        
    Poco::Net::Context::VERIFY_STRICT,
    9,
    true,
    "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");                   
    Poco::Net::SSLManager::instance().initializeServer(pConsoleHandler,pInvalidCertHandler,pServerContext);
    HTTPSTestServer srv(pServerContext);
    int port = srv.port();
    std::cout << "Port on which it is listening:: " << port << std::endl;

    while(1){}
}
catch(Poco::Exception &exc)
{
    std::cout << "::" << "HTTPClientConnection::ServiceConnection()" << "::" << " Exception while sending the request for client session ::" << exc.displayText().c_str() << std::endl;                             
}

return 0;*
sach
  • 99
  • 2
  • 9
  • *"Unacceptable certificate from 127.0.0.1..."* - Please show the relevant code, and please provide the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) It provides a lot of background information on X.509 server certificates, and where the various rules come from. – jww Sep 07 '16 at 16:49
  • Yes I have generated the CSR's,Keys,Certificates using https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html. and added code snippet. – sach Sep 08 '16 at 05:33
  • Where is the certificate? Either you have to spot what's wrong with it; or you have to show it to use so we can tell you what's probably wrong with it. – jww Sep 08 '16 at 07:09
  • 1
    got it figured, seems like the CN should be the IP of the client for the server to validate the certificate, i guess the underlying POCO which handles the validation compares the incoming IP against the CN/Email and whenever i provide IP of the client as CN in client certificate it works fine. My bad did not share the certificate in hurry. – sach Sep 08 '16 at 07:25
  • @sach thank you for sharing. that way i solved a bug in collabora online in conjunction with nextcloud. – AlexOnLinux Feb 01 '20 at 10:21

0 Answers0