如何使用 c++ 客户端/服务器在带有 gsoap 的 openssl 中使用 ssl 证书

Question

I am using gsoap and openssl under Visual Studio C++, I created a client and a server on localhost (port 443).

I have a non explicit error without any description when using (from client side) the option: soap_ssl_client_context(&soap, "SOAP_SSL_DEFAULT"...

but if I use it with the option: soap_ssl_client_context(&soap, SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK, ...
it is working correctly (but insecurely I gess).

So I decided to check what is the error by checking packets on localhost (with raw capture), and I see that the communication ends by an Encrypted Alert (21) after terminating the handshake.

And I Wonder what I need to do, to get this application working properly and securely on localhost (for testing purpose).

More Info: I have generated ssl certificates for server side with a batch:

echo CREATE SERVER CA and CA CERT
echo Generate Private Key (passwd protected)
openssl genrsa -des3 -out .\private\CA_key.pem 2048
pause

echo Generate server CA
echo use your server name for the 'common name' field!
openssl req -out ca.pem -new -x509 -key .\private\CA_key.pem
pause

echo Create certificate signing request for CA pub Key
openssl req -new -key .\private\CA_key.pem -out CA_csr.pem
pause

echo Sign it
openssl req -in CA_csr.pem -out CA_crt.pem -key .\private\CA_key.pem -x509 -days 3020
pause

echo FOR C++ SERVER ONLY
type .\private\CA_key.pem CA_crt.pem > server.pem
pause  

And also for client side:

echo CREATE PUB/PRIV key pair and cert for client
echo Generate key pair
openssl genrsa -des3 -out client_key.pem 2048
pause

echo Create CSR for client pub key
openssl req -new -key client_key.pem -out client_csr.pem
pause

echo User ca to sign the request (need serial file with '01')
echo make sure your openssl.cnf is correct (path and right CA certificate file)
openssl ca -in client_csr.pem -out client_crt.pem -config openssl.cfg -days 1825
pause

echo CLIENT SPECIFIC FORMATING (optional)
echo for C++ clients ONLY
type client_key.pem client_crt.pem > LCC.pem

I used: CA_crt.pem as "cacert file" in both soap_ssl_server_context and soap_ssl_client_context. LCC.pem as client key, and server.pem as server key.

I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).

Can you help me please to find out what is missing to get it working with SOAP_SSL_DEFAULT only?

Thank you

Answer 1

I am not sure if all certificate generation steps are correct but it is working with the option (SOAP_SSL_DEFAULT | SOAP_SSL_SKIP_HOST_CHECK).

If the certificate works with gSoap with SOAP_SSL_SKIP_HOST_CHECK and does not work without it, then the CommonName for your certificate is not a hostname or IP address. Depending on the purpose for your certificate, you may not want your certificate CommonName to be the host ip/name and so using SOAP_SSL_SKIP_HOST_CHECK is fine.

If you want to quit using the SOAP_SSL_SKIP_HOST_CHECK flag, then regenerate your certificate to have the CommonName be the host name or ip address. (Note: You may run into conflicts with other certificates installed on your system - if one of them has an identical CommonName.)