Vilius Panevėžys
2014-05-06 17:07:06 UTC
Hi all,
I'm trying to implement a server that is capable of presenting a
dynamically generated certificate. Boost.Asio SSL support does not seem
to have accounted for such a scenario, but the API to access native SSL
and SSL_CTX handles gives me hope it should be possible to use the SSL
stream normally and use a few OpenSSL functions directly to set a
generated certificate.
Unfortunately, when I try to use a generated certificate the SSL
handshake with client fails with "no shared cipher" error. If I load a
certificate from file (ssl::context::use_certificate_file) before
creating SSL stream, it works fine. If I move certificate file loading
after SSL stream creation (before accepting a connection, though), I
get the same "no shared cipher" error as in case of dynamically
generated certificate. This makes me think that the "injection" fails
and the SSL stream effectively does not use a certificate if it is set
after the stream is constructed. A similar problem is described in
StackOverflow [1], but in this case I can't load the certificate before
constructing the SSL stream as the certificate I will present depends
on what the client says in ClientHello.
I use SSL_CTX_use_certificate and SSL_CTX_use_PrivateKey on
sslContext->native_handle() to dynamically set the generated certificate
after a connection has been accepted, but before initiating
async_handshake on the client's SSL stream.
I like Asio event loop-like concept and the simple and powerful API, so
I would very much prefer finding a solution/workaround to this instead
of having to give it up and work directly with OpenSSL and sockets,
eventually "reinventing" a subset of the API.
Looking forward to any advice.
[1]
http://stackoverflow.com/questions/12217346/c-boost-asio-error-no-shared-cipher/19584759#19584759
I'm trying to implement a server that is capable of presenting a
dynamically generated certificate. Boost.Asio SSL support does not seem
to have accounted for such a scenario, but the API to access native SSL
and SSL_CTX handles gives me hope it should be possible to use the SSL
stream normally and use a few OpenSSL functions directly to set a
generated certificate.
Unfortunately, when I try to use a generated certificate the SSL
handshake with client fails with "no shared cipher" error. If I load a
certificate from file (ssl::context::use_certificate_file) before
creating SSL stream, it works fine. If I move certificate file loading
after SSL stream creation (before accepting a connection, though), I
get the same "no shared cipher" error as in case of dynamically
generated certificate. This makes me think that the "injection" fails
and the SSL stream effectively does not use a certificate if it is set
after the stream is constructed. A similar problem is described in
StackOverflow [1], but in this case I can't load the certificate before
constructing the SSL stream as the certificate I will present depends
on what the client says in ClientHello.
I use SSL_CTX_use_certificate and SSL_CTX_use_PrivateKey on
sslContext->native_handle() to dynamically set the generated certificate
after a connection has been accepted, but before initiating
async_handshake on the client's SSL stream.
I like Asio event loop-like concept and the simple and powerful API, so
I would very much prefer finding a solution/workaround to this instead
of having to give it up and work directly with OpenSSL and sockets,
eventually "reinventing" a subset of the API.
Looking forward to any advice.
[1]
http://stackoverflow.com/questions/12217346/c-boost-asio-error-no-shared-cipher/19584759#19584759