From nobody Sun Dec 17 05:48:48 2023
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4StBpp6jJwz546nX
	for <questions@mlmmj.nyi.freebsd.org>; Sun, 17 Dec 2023 05:49:06 +0000 (UTC)
	(envelope-from bc979@lafn.org)
Received: from mail.sermon-archive.info (sermon-archive.info [47.181.130.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 4StBpp07hMz4FKJ
	for <questions@freebsd.org>; Sun, 17 Dec 2023 05:49:05 +0000 (UTC)
	(envelope-from bc979@lafn.org)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of bc979@lafn.org designates 47.181.130.121 as permitted sender) smtp.mailfrom=bc979@lafn.org;
	dmarc=none
Received: from smtpclient.apple (unknown [10.0.1.251])
	by mail.sermon-archive.info (Postfix) with ESMTPSA id 4StBpf5KkVz2fjVg
	for <questions@freebsd.org>; Sat, 16 Dec 2023 21:48:58 -0800 (PST)
From: Doug Hardie <bc979@lafn.org>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6"
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Subject: Client Certificate Verification
Message-Id: <174A9481-186F-44EC-A129-96ACD985DD76@sermon-archive.info>
Date: Sat, 16 Dec 2023 21:48:48 -0800
To: FreeBSD Questions List <questions@freebsd.org>
X-Mailer: Apple Mail (2.3731.700.6)
X-Virus-Scanned: clamav-milter 1.2.0 at mail
X-Virus-Status: Clean
X-Spamd-Result: default: False [-2.60 / 15.00];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	MV_CASE(0.50)[];
	R_SPF_ALLOW(-0.20)[+mx];
	RCVD_NO_TLS_LAST(0.10)[];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	ONCE_RECEIVED(0.10)[];
	DMARC_NA(0.00)[lafn.org: no valid DMARC record];
	ARC_NA(0.00)[];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	R_DKIM_NA(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org];
	RCVD_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	ASN(0.00)[asn:5650, ipnet:47.181.128.0/18, country:US];
	TO_DN_ALL(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4StBpp07hMz4FKJ
X-Spamd-Bar: --


--Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I have an application to which clients connect using a browser over SSL. =
 I have a LetsEncrypt certificate for the app that lets the client =
authenticate the app.  However, I need to have a multitude of client =
certificates (one per client machine).  I am generating these =
certificates from a self-signed root certificate.  I can get the client =
to verify the app and provide the client certificate to it.  The app is =
unable to verify the client certificate.  I have not been able to figure =
out how to have openssl distribute one certificate (from LetsEncrytp), =
but verify the received client certificate using different certificate =
chain.  Openssl will pass me some of the received certificate fields.  =
However, without certificate verification I cannot be sure that those =
values came from a certificate I generated.  Is there a way to do this =
either with openssl or libtls?

-- Doug


--Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;">I have an =
application to which clients connect using a browser over SSL. &nbsp;I =
have a LetsEncrypt certificate for the app that lets the client =
authenticate the app. &nbsp;However, I need to have a multitude of =
client certificates (one per client machine). &nbsp;I am generating =
these certificates from a self-signed root certificate. &nbsp;I can get =
the client to verify the app and provide the client certificate to it. =
&nbsp;The app is unable to verify the client certificate. &nbsp;I have =
not been able to figure out how to have openssl distribute one =
certificate (from LetsEncrytp), but verify the received client =
certificate using different certificate chain. &nbsp;Openssl will pass =
me some of the received certificate fields. &nbsp;However, without =
certificate verification I cannot be sure that those values came from a =
certificate I generated. &nbsp;Is there a way to do this either with =
openssl or libtls?<div><br><div>
<div>-- Doug</div>

</div>
<br></div></body></html>=

--Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6--