Allow connections only by client with certificates

I have OpenSSL server and client.

Server allows connections only with one certificate by function SSL_CTX_load_verify_locations(ctx, cert, NULL), but it is not enough. I want to enable connections for all clients with certificate with was signed by organizational CA.

What should I use?

I have read about set path to folder with "good" client certificates, but it's actually not what I want and it's not working for me too.

Any ideas?

SSL_CTX_load_verify_locations(ctx, cert, NULL)... I want to enable connections for all clients with certificate with was signed by organizational CA.

What should I use?

On the server, you need to call SSL_CTX_set_client_CA_list to have the server send the CA list (and trigger the client). In your case, the list is one CA - the organization's CA or a subordinate CA within the organization.

You can find the OpenSSL man page at SSL_CTX_set_client_CA_list(3). Its also discussed on the SSL_CTX_load_verify_locations(3) man page.

Here's how to find an example of using it (OpenSSL is famous for self documenting code):

$ cd openssl-1.0.2a
$ grep -R SSL_CTX_set_client_CA_list * | grep -v doc
...
apps/s_server.c:    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
...

Here's how OpenSSL uses it apps/s_server.c:

char* caFile = NULL;
...

else if (strcmp(*argv, "-CAfile") == 0) {
    caFile = *(++argv);
...

if ((!SSL_CTX_load_verify_locations(ctx, caFile, caPath)) ||
    (!SSL_CTX_set_default_verify_paths(ctx))) {
        ERR_print_errors(bio_err);
}
...

if (caFile != NULL) {
    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(caFile));

You can find the man pages for SSL_load_client_CA_file(3).

Related, on the OpenSSL mailing list: Does STACK_OF(X509_NAME) need to be free'd when using SSL_load_client_CA_file?

Assuming your organization PKI looks something like so:

                     ++++++++++++++++
                     + Organization +
                     +    Root CA   +
                     ++++++++++++++++
                            |
        +-------------------+------------------+
        |                   |                  |
+--------------+    +--------------+   +--------------+
|  Client Auth |    | Server Auth  |   |  Other ...   |
|    Sub CA    |    |    Sub CA    |   |    Sub CA    |
+--------------+    +--------------+   +--------------+

You probably want to send the Client Authentication subordinate CA. That limits damage in case something happens in one of the other CA arcs.

The problem case is that of Diginotar, where the Root CA becomes compromised. In that case, you need to burn the entire PKI to the ground and start over.

The subordinate CAs will have basicConstraint=critical, CA=true. But they will not be self signed. Rather, they will be signed or certified by the Organizational Root CA.