linking problem using sslclientcert as auth-type

[jestero]

Hello, i'm trying to link two hub using sslclientcert as auth-type and i've got some problems....
Each server is configured to allow only clients with valid certificate and this seems to work correctly.
I want to use the same method to link the 2 servers, so i used sslclientcert in password-receive (as said in doc), specifying the crt (public key) of the host to link to.
Password-connect seems to be mandatory but i don't understand how i have to fill it.

I've also tried to link with passwords avoiding the certificates, and it only works removing "verify-certificate" from ssl block.

server 1 config:

link host2.mynet.org
{
username *;
hostname 2.2.2.2;
bind-ip *;
port 6697;
hub *;
class servers;

password-connect "";
password-receive "./keys/host2.crt" { sslclientcert; };

options
{
autoconnect;
ssl;
zip;
nohostcheck;
};
};

ssl
{
certificate "./keys/host1.crt";
key "./keys/host1.key";
trusted-ca-file "./keys/ca.crt";

options
{
fail-if-no-clientcert;
verify-certificate;
no-self-signed;
};
};

server2 config:

link host1.mynet.org
{
username *;
hostname 1.1.1.1;
bind-ip *;
port 6697;
hub *;
class servers;

password-connect "";
password-receive "./keys/host1.crt" { sslclientcert; };

options
{
autoconnect;
ssl;
zip;
nohostcheck;
};
};

ssl
{
certificate "./keys/host2.crt";
key "./keys/host2.key";
trusted-ca-file "./keys/ca.crt";

options
{
fail-if-no-clientcert;
verify-certificate;
no-self-signed;
};
};

EDIT:

Notice that i use only 1 ssl listen port for both clients and servers

With this config i receive this error:

* *** Notice -- Connection to host2.mynet.org[2.2.2.2] activated.
* Lost connection to host2.mynet.org[2.2.2.2]: SSL_connect(): Internal OpenSSL error or protocol error

If i remove verify-certificate from ssl block it says "missing password", (obviously i don't want to remove this option cause only clients signed with the same CA must be allowed).

[Jobe]

Unless your certificates are signed by a certificate authority that your IRCd's recognise the verify option will only hinder you. As for the error you're getting that's because you DIDN'T supply a password-connect in either link block. Although you are not using passwords you still have to supply one, it can be literally anything though.

Personally I would also advise against fail-if-no-clientcert; and no-self-signed; too. My reasoning is most users who use SSL do NOT use an SSL client certificate so because of fail-if-no-clientcert will not be able to connect. Secondly most users who do use SSL client certificates use self signed certificates so again will fail because your options do not allow them. So because of the 3 options you chose you are saying NOBODY can use SSL unless they can afford to purchase an SSL certificate they can sue as a client certificate that has been signed by a certificate authority your server recognises.

Not to mention the ssl certs generated by UnrealIRCd's install are self signed anyway so wont pass the verification step or the no-self-signed requirement.

[jestero]

[SOLVED]

The configuration was ok! except for the "password-connect" parameter. I just need to specifiy any password.
The problem was about creating certificates (and yes... i'm using a self-signed CA created with easyrsa script from openvpn).
They must be created as a "client certificate" using the script "build-key" instead of "build-key-server".

Now every connection from / to my IRCd is "ssl cert" mandatory