From owner-freebsd-questions@freebsd.org Thu Aug 1 01:12:54 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D5FC4ACA73 for ; Thu, 1 Aug 2019 01:12:54 +0000 (UTC) (envelope-from srs0=ol51=v5=mail.sermon-archive.info=doug@sermon-archive.info) Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148]) by mx1.freebsd.org (Postfix) with ESMTP id 45zXN6179bz4YGv for ; Thu, 1 Aug 2019 01:12:53 +0000 (UTC) (envelope-from srs0=ol51=v5=mail.sermon-archive.info=doug@sermon-archive.info) Received: from [10.0.1.251] (mini [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 45zX8q2wglz2fjRY; Wed, 31 Jul 2019 18:03:07 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: OpenSSL client certificates From: Doug Hardie In-Reply-To: <20190731224351.GA67809@geeks.org> Date: Wed, 31 Jul 2019 18:03:07 -0700 Cc: FreeBSD Questions Content-Transfer-Encoding: quoted-printable Message-Id: References: <6F225C67-4264-4E28-A1E2-69CDFE321B16@mail.sermon-archive.info> <20190731224351.GA67809@geeks.org> To: Doug McIntyre X-Mailer: Apple Mail (2.3445.104.11) X-Virus-Scanned: clamav-milter 0.100.2 at mail X-Virus-Status: Clean X-Rspamd-Queue-Id: 45zXN6179bz4YGv X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of srs0=ol51=v5=mail.sermon-archive.info=doug@sermon-archive.info designates 71.177.216.148 as permitted sender) smtp.mailfrom=srs0=ol51=v5=mail.sermon-archive.info=doug@sermon-archive.info X-Spamd-Result: default: False [3.66 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.42)[-0.423,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:71.177.216.148:c]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; URIBL_RED(3.50)[arcweb.co.multi.uribl.com]; BAD_REP_POLICIES(0.10)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: sermon-archive.info]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[148.216.177.71.list.dnswl.org : 127.0.10.0]; NEURAL_HAM_SHORT(-0.19)[-0.190,0]; HAS_ANON_DOMAIN(0.10)[]; IP_SCORE(-0.21)[asn: 5650(-1.01), country: US(-0.05)]; FORGED_SENDER(0.30)[bc979@lafn.org,srs0=ol51=v5=mail.sermon-archive.info=doug@sermon-archive.info]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:5650, ipnet:71.177.216.0/23, country:US]; FROM_NEQ_ENVFROM(0.00)[bc979@lafn.org,srs0=ol51=v5=mail.sermon-archive.info=doug@sermon-archive.info]; GREYLIST(0.00)[pass,body]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Aug 2019 01:12:54 -0000 -- Doug > On 31 July 2019, at 15:43, Doug McIntyre wrote: >=20 > On Mon, Jul 29, 2019 at 06:11:59PM -0700, Doug Hardie wrote: >> I have a Lets Encrypt certificate my app uses for the clients to = validate me. However, I need to be able to validate the client's = identity using a client certificate. Lets Encrypt certificates can not = be used to create client certificates. So I need to be able to use a = self-signed certificate for the client certificate validation. I have = been digging around through nginx code to see what I could find, but I = am not sure it does that either. Any ideas on how to do this with = openssl? >=20 >=20 > How are you validating a clients identity? Through a web page? > An email? Logged into a shell? This is all in an application for this specific use. Both the client = and server are written by me. I have seen that page you reference below = and that leads me to believe nginx has solved the problem. I just = haven't been able to figure out where or how they do it in the code. I = have been able to get the server to use the validation callback to let = me validate the certificate parameters. It's not perfect as I haven't = figured out how to verify the certificate is valid yet. I can get the = fields I need from it for the application. The vast majority of the clients will be using cell phones. Dongles are = just not practical. The clients won't use them. A one-time store of = the certificate in the phone is better than passwords which they never = remember or use such trivial ones that it is not effective. >=20 > Openssl is a command line tool to manipulate/create/change SSL certs. = It can be used > to setup your own PKI infrastructure (although it is fairly fugly in = how to do it). >=20 > Google "Setup PKI with openssl" and you'll get 1000s of articles. Most = poor. >=20 > If you want to validate your clients connecting to a web page (since > you mention nginx), you can do google searches for "SSL client > authentication with nginx" and get pages like > = https://arcweb.co/securing-websites-nginx-and-client-side-certificate-auth= entication-linux/ > which is what I think you are trying to do. >=20 >=20 > I'm sure there are hundreds of other pages out there for Apache and > Nginx dealing with the subject. I've never really seen people really > enjoy the experience of doing client-side web authentication though.=20= >=20 > The new hotness is webauthn and a security dongle. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"