Hello, I can not find a working mutual-TLS server/client example on github or the whole internet. Only some example for pieces of code. Communication via socket without and with encryption (openSSL) is working, but with mTLS not. I believe that I theoretical understand mTLS, but the practice will not work. The whole (small) project is here: https://github.com/deckard-rick/mTLS-example Server Side ========= I initialize the SSL-context without errors with (sample, error handling is not in this email) SSL_CTX_set_ecdh_auto(srvCtx->ctx, 1); SSL_CTX_set_verify(srvCtx->ctx, SSL_VERIFY_PEER or SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_load_verify_locations(srvCtx->ctx,NULL,"../certs"); //???? SSL_CTX_use_certificate_chain_file(srvCtx->ctx, "../certs/server/ca.crt"); SSL_CTX_use_certificate_file(srvCtx->ctx, "../certs/server/server.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(srvCtx->ctx, "../certs/server/server.key", SSL_FILETYPE_PEM); SSL_CTX_check_private_key(srvCtx->ctx); the certificates are: ca.crt: Version: 3 (0x2) Serial Number: 5a:fc:74:e6:28:28:0e:df:5b:7a:50:9e:a8:18:e6:04:42:f0:fd:8d Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA Validity Not Before: May 6 09:21:23 2020 GMT Not After : May 6 09:21:23 2022 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA server.crt: Version: 1 (0x0) Serial Number: 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:23 Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA Validity Not Before: May 6 09:30:23 2020 GMT Not After : May 6 09:30:23 2021 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = debiandevdesktop01.sdctec.lokal debiandevdesktop01.sdctec.lokal is the FQDN of the development server Client Side ========= SSL_CTX_set_ecdh_auto(ctx, 1); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt"); SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key", SSL_FILETYPE_PEM); ca.crt: (see server) client.crt: Version: 1 (0x0) Serial Number: 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:24 Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA Validity Not Before: May 6 09:35:51 2020 GMT Not After : May 6 09:35:51 2021 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CLIENT001 Error: ===== If the client connects the server there are the following errors: server: 139918902234240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: client: 139918902234240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: I think, there is a problem with the certificates. But where is the problem and why? The statement to create the certificates are in the project ./certs/read.me Thanks for any help, I'm looking since days for a solution and I believe it is only a small bug. Best regards Andreas
