// Copyright (c) 2001 David Muse
// See the file COPYING for more information
#include <rudiments/inetclientsocket.h>
#include <rudiments/charstring.h>
#include <rudiments/error.h>
#include <openssl/err.h>
#ifdef RUDIMENTS_NAMESPACE
using namespace rudiments;
#endif
int passwdCallback(char *buf, int size, int rwflag, void *userdata) {
charstring::copy(buf,(char *)userdata,size);
buf[size-1]=(char)NULL;
return charstring::length(buf);
}
int main(int argc, const char **argv) {
// initialize the SSL context
SSL_library_init();
SSL_load_error_strings();
// Create a new client context usng SSLv2.
SSL_CTX *ctx=SSL_CTX_new(SSLv2_client_method());
// in cases where a re-negotiation must take place during an SSL_read
// or SSL_write, automatically re-negotiate, then retry the read/write
// instead of causing the read/write to fail
SSL_CTX_set_mode(ctx,SSL_MODE_AUTO_RETRY);
// load the client's certificate chain
SSL_CTX_use_certificate_chain_file(ctx,"client.pem");
// if the private key requires a password in order to read it,
// supply "password"
SSL_CTX_set_default_passwd_cb(ctx,passwdCallback);
SSL_CTX_set_default_passwd_cb_userdata(ctx,(void *)"password");
// load the client's private key
SSL_CTX_use_PrivateKey_file(ctx,"client.pem",SSL_FILETYPE_PEM);
// load certificates for the signing authorities that we trust
SSL_CTX_load_verify_locations(ctx,"ca.pem",0);
#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
// server certificates must be directly signed
// by one of the signing authroities that we trust
SSL_CTX_set_verify_depth(ctx,1);
#endif
// create an inet socket client
inetclientsocket clnt;
clnt.setSSLContext(ctx);
// connect to a server on localhost, listening on port 8000
if (clnt.connect("localhost",8000,-1,-1,1,1)<0) {
if (errno) {
printf("connect failed: %s\n",error::getErrorString());
} else {
printf("connect failed: ");
ERR_print_errors_fp(stdout);
printf("\n");
}
clnt.close();
exit(1);
}
// make sure the server sent a certificate
X509 *certificate=SSL_get_peer_certificate(clnt.getSSL());
if (!certificate) {
printf("peer sent no certificate\n");
clnt.close();
exit(1);
}
// make sure the certificate was valid
long result=SSL_get_verify_result(clnt.getSSL());
if (result!=X509_V_OK) {
printf("SSL_get_verify_result failed: %d\n",result);
clnt.close();
exit(1);
}
// Make sure the commonname in the certificate is the one we expect it
// to be (server.localdomain).
// (we may also want to check the subject name field or certificate
// extension for the commonname because sometimes it's there instead
// of in the commonname field)
char commonname[256];
X509_NAME_get_text_by_NID(X509_get_subject_name(certificate),
NID_commonName,commonname,256);
if (charstring::compareIgnoringCase(commonname,"server.localdomain")) {
printf("%s!=server.localdomain\n",commonname);
clnt.close();
exit(1);
}
// write "hello" to the server
clnt.write("hello",5);
// read 10 bytes from the server and display them
char buffer[11];
int sizeread=clnt.read(buffer,10);
buffer[sizeread]=(char)NULL;
printf("%s\n",buffer);
// close the connection to the server
clnt.close();
}