Mutual SSL Authentication with gSOAP
https://stackoverflow.com/questions/9276146
-
29-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I am trying to connect with a SOAP Service which requires Mutual SSL Authentication.
We created a self-signed certificate and transferred it to the service operator for them to verify our connections. Likewise, they sent us a copy of their ssl certificate.
I have been able to successfully connect to an get the expected SOAP response from the service by using openssl s_client and manually entering the HTTP request, headers and SOAP content. I use the parameters similar to the following to make the successful connection:
openssl s_client -connect example.com:443 -key my_key.pem -cert my_cert.pem -pass file:my_passphrase
- my_key.pem is the filename of my private key
- my_cert.pem is the filename of the self-signed certificate forwarded to the service operator.
- my_passphrase contains the passphrase for the private key.
I am now trying to access the same service using gSOAP and its C bindings. I followed the documentation at http://www.cs.fsu.edu/~engelen/soapdoc2.html to create binding from the service WSDL and added a call to soap_ssl_client_context() to set up the SSL connection, but I'm running into a problem.
I presumed that I should use the path to my_key.pem as the keyfile parameter, but using gdb, I can see that it is the call to SSL_CTX_use_certificate_chain_file() which is failing.
gSOAP passes the keyfile parameter as the file argument to this call.
Any help is much appreciated.
المحلول
The solution is that gSOAP expects the certificate and key to be in the same file.
From SSL Certificates and Key Files in the gSOAP documentation:
The keyfiles (client.pem and server.pem) are created by concatenating the private key PEM with the certificate PEM.
You can achieve this by concatenating the two files together. This is simple using the Unix tool cat. At your shell prompt, and using the same file names as in the question:
$ cat my_cert.pem my_key.pem > my_certkey.pem
Where my_certkey.pem is the output file. Now, you can use the path to my_certkey.pem as the keyfile parameter in the call to soap_ssl_client_context().
Tools like openssl s_client and curl will understand the concatenated key-cert file as argument to the -cert options and use both the key and cert from there.
