stackoom
  简体   繁体   中英

OpenSSL TLS Server - use client certificate whitelist

 原文  2020-02-17 11:19:23       c++/ openssl

Question

I am developing a C++ client/server application that uses OpenSSL. The server uses a whitelist in order to accept only certain clients.

On the server, I generate a self-signed root certificate (rootCA.pem), which is also used as the server certificate. (I will use a separate server certificate in the future, this is describing my application now). Clients generate CSRs which are signed by the server using the root certificate (rootCA.pem). These client certificates are then sent to clients to be used by them and also placed in the "clientCertificate" folder. I am trying to accept a connection from an approved client, but it is not working.

SSL_CTX_use_certificate_file(ctx, "rootCA.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "serverPrivateKey.pem", SSL_FILETYPE_PEM);
STACK_OF(X509_NAME) *list;
list = SSL_load_client_CA_file("rootCA.pem");
SSL_CTX_set_client_CA_list(ctx, list);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
SSL_CTX_load_verify_locations(ctx, NULL, "clientCertificate")

Is there an obvious mistake that I have made?

If I only use the first two lines (only SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file ) and comment the others, the application works.

The "rootCA.pem" has the digitalSignature keyUsage field.

An additional question would be, suppose I get the handshake working, how do I then disconnect clients by simplify removing its certificate from the "clientCertificatesFolder"? Is there a "check if client is still approved" function from OpenSSL that I can use?

1 answers

solution1
 0  2020-02-17 15:00:00

Usually a server does not need to know certificates of clients before connection attempts. A server can do TLS client authentication by using the trusted CA certificate.

SSL_CTX_load_verify_locations(ctx, "rootCA.pem", NULL)
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);

This way the TLS server accepts only clients, that have a valid certificate chain and the correct private key of the client certificate. (=root certificate of the certificate chain must be in "rootCA.pem").

If some kind of white list is still really needed, you can implement it in callback function.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question OpenSSL: server cannot verify client certificate OpenSSL client not sending client certificate Certificate verify failed in client server communication with boost::asio and OpenSSL How can an openssl client trust a self signed certificate for a server Client-Server communication using OPENSSL (using Certificate) Failing to validate server certificate with OpenSSL Reading raw SSL/TLS Certificate from memory using OpenSSL OpenSSL Verify Peer (Client) Certificate in C++ OpenSSL or LibreSSL C++ sample for client TLS connection Can OpenSSL on Windows use the system certificate store?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM