Date: Wed, 13 Mar 2024 11:44:18 -0700 From: Doug Hardie <bc979@lafn.org> To: John Levine <johnl@iecc.com>, freebsd-questions@freebsd.org Subject: Re: Client Certificate Verification Message-ID: <2824CBA3-BB5A-4A1B-AC6A-37A676339639@sermon-archive.info> In-Reply-To: <20231217201351.E63AE7EF41EE@ary.qy> References: <20231217201351.E63AE7EF41EE@ary.qy>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_B7C2BA20-77AE-4515-8AE9-CC180BFA2DAC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Dec 17, 2023, at 12:13, John Levine <johnl@iecc.com> wrote: >=20 > It appears that Doug Hardie <bc979@lafn.org <mailto:bc979@lafn.org>> = said: >> -=3D-=3D-=3D-=3D-=3D- >>=20 >> I have an application to which clients connect using a browser over = SSL. I have a LetsEncrypt certificate for the app that lets the client = authenticate the app.=20 >> However, I need to have a multitude of client certificates (one per = client machine). I am generating these certificates from a self-signed = root certificate. I can get >> the client to verify the app and provide the client certificate to = it. The app is unable to verify the client certificate. I have not = been able to figure out how to >> have openssl distribute one certificate (from LetsEncrytp), but = verify the received client certificate using different certificate = chain. Openssl will pass me some of >> the received certificate fields. However, without certificate = verification I cannot be sure that those values came from a certificate = I generated. Is there a way to do >> this either with openssl or libtls? >=20 > OpenSSL gets its list of trusted root signers from a big list in > /etc/ssl so you want to add your CA to that list. See the certctl > command for more details on how it's managed. >=20 > Most FreeBSD systems use the ca_root_nss package to update that list, > so the trick is to keep your cert from getting deleted the next time > the package is updated. You might try putting your cert in > /usr/local/share/certs/ rather than /usr/share/certs/trusted where the > standard certs are. Finally got some time to work on this again. That approach works very = well. My client certificates are properly accepted. However, I am = unable to tell just what SSL_accept validates. I have not been able to = find any documentation on what it actually checks. My testing shows = that the client certificate must be signed by a known root certificate, = but does SSL_accept verify that the signing certificate is the one = indicated in the client certificate, and how does it check that? In my = server, I am checking the certificate serial number. The subject CN is = being used to send the real user id. Is that necessary and sufficient = to ensure that the certificate is the one I generated and not a fake? It seems that it might be possible to create a CA that is certified by = one of the known root certificates and use it to generate a client = certificate with the identical issuer information. Obtaining the proper = issuer serial number would take some work, but I suspect it is possible. = The rest of that information is trivial. Thanks, -- Doug --Apple-Mail=_B7C2BA20-77AE-4515-8AE9-CC180BFA2DAC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: = after-white-space;"><div><blockquote type=3D"cite"><div>On Dec 17, 2023, = at 12:13, John Levine <johnl@iecc.com> wrote:</div><br = class=3D"Apple-interchange-newline"><div><meta charset=3D"UTF-8"><span = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none; float: none; = display: inline !important;">It appears that Doug Hardie <</span><a = href=3D"mailto:bc979@lafn.org" style=3D"font-family: Helvetica; = font-size: 14px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; orphans: auto; text-align: = start; text-indent: 0px; text-transform: none; white-space: normal; = widows: auto; word-spacing: 0px; -webkit-text-stroke-width: = 0px;">bc979@lafn.org</a><span style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline !important;">> = said:</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 14px; font-style: normal; font-variant-caps: = normal; font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none;"><blockquote type=3D"cite" style=3D"font-family: Helvetica; = font-size: 14px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; orphans: auto; text-align: = start; text-indent: 0px; text-transform: none; white-space: normal; = widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;">-=3D-=3D-=3D-=3D-=3D-<br><br>I have an = application to which clients connect using a browser over SSL. I = have a LetsEncrypt certificate for the app that lets the client = authenticate the app.<span = class=3D"Apple-converted-space"> </span><br>However, I need to have = a multitude of client certificates (one per client machine). I am = generating these certificates from a self-signed root certificate. = I can get<br>the client to verify the app and provide the client = certificate to it. The app is unable to verify the client = certificate. I have not been able to figure out how to<br>have = openssl distribute one certificate (from LetsEncrytp), but verify the = received client certificate using different certificate chain. = Openssl will pass me some of<br>the received certificate fields. = However, without certificate verification I cannot be sure that = those values came from a certificate I generated. Is there a way = to do<br>this either with openssl or libtls?<br></blockquote><br = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none;"><span = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none; float: none; = display: inline !important;">OpenSSL gets its list of trusted root = signers from a big list in</span><br style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><span style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline = !important;">/etc/ssl so you want to add your CA to that list. See the = certctl</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 14px; font-style: normal; font-variant-caps: = normal; font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none;"><span style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; = font-size: 14px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none; float: none; display: inline !important;">command for more details = on how it's managed.</span><br style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><br style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><span style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline !important;">Most = FreeBSD systems use the ca_root_nss package to update that = list,</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 14px; font-style: normal; font-variant-caps: = normal; font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none;"><span style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; = font-size: 14px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none; float: none; display: inline !important;">so the trick is to keep = your cert from getting deleted the next time</span><br = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none;"><span = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none; float: none; = display: inline !important;">the package is updated. You might try = putting your cert in</span><br style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><span style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline = !important;">/usr/local/share/certs/ rather than = /usr/share/certs/trusted where the</span><br style=3D"caret-color: = rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: = normal; font-variant-caps: normal; font-weight: 400; letter-spacing: = normal; text-align: start; text-indent: 0px; text-transform: none; = white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><span style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 14px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline = !important;">standard certs = are.</span></div></blockquote><br></div><div>Finally got some time to = work on this again. That approach works very well. My client = certificates are properly accepted. However, I am unable to tell = just what SSL_accept validates. I have not been able to find any = documentation on what it actually checks. My testing shows that = the client certificate must be signed by a known root certificate, but = does SSL_accept verify that the signing certificate is the one indicated = in the client certificate, and how does it check that? In my = server, I am checking the certificate serial number. The subject = CN is being used to send the real user id. Is that necessary and = sufficient to ensure that the certificate is the one I generated and not = a fake?</div><div><br></div><div> It seems that it might be = possible to create a CA that is certified by one of the known root = certificates and use it to generate a client certificate with the = identical issuer information. Obtaining the proper issuer serial = number would take some work, but I suspect it is possible. The = rest of that information is trivial. = Thanks,</div><div><br></div><div>-- = Doug</div><div><br></div></body></html>= --Apple-Mail=_B7C2BA20-77AE-4515-8AE9-CC180BFA2DAC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2824CBA3-BB5A-4A1B-AC6A-37A676339639>