SSL with mutual certificate authentication

11 posts / 0 new
Last post
Nano
SSL with mutual certificate authentication

Hello!

Would it be possible to extend the SSL support with mutual certificate authentication where the client also has to show its certificate to the server so that the server can check if the client is allowed to connect?

Why?
Ease the use of clients and server when they are directly connecting over the internet without any additional tools (e.g. openvpn, stunnel, plink, etc.).

Thanks,
Christian

Michael
Yes this is supported in

Yes this is supported in server 2.1.0 and client 2.8.3, see here for setup https://www.virtualhere.com/ssl_setup

Nano
Great! Thanks for adding the

Great! Thanks for adding the client cert support.

It would be nice if you could improve the SSL documentation a little bit:
* I had to use double backslashes for the path
* In the vhui.ini there sections: I have just put the sslPort option to the [General] section. For the SSLClientCert it is already specified to put it in the [General] section.

In the server FAQ there is a typo with double "the":
* "SSLCAFileThis file is contains the PEM encoded Certificate Authority(CA) Trusted Root Certificates used the the Server and Client SSL certificates."

Thanks again for this great product!

Nano
Would it also be possible to

Would it also be possible to add a CRL file (certificate revokation list) to disable certain certificates so that it is not necessary to generate a new CA cert and as a result of this, generate new client certificates for all users?

Michael
OK, download 2.1.7 of the

OK, download 2.1.7 of the server and then add UseSSLCRL=1 to the server config.ini then append your CRL's in PEM format to the server.pem file and it should work according the openssl documentation.

Nano
Great! Thanks for adding!

Great! Thanks for adding!

BTW: I am using this PKI tool for handling all the cert stuff:
git clone https://github.com/OpenVPN/easy-rsa.git

Then simply run the command "easyrsa" in the "easyrsa3" subdir.
The only thing that has to be done manually afterwards is to concatenate the public certificate and the private key (and optionally the CRL) into one PEM file. "easyrsa" also generates the CRL in PEM format which contains the revoked certificates.

Michael
Thats good to know, openssl

Thats good to know, openssl cli is a PIA :)

Nano
Hi!

Hi!

I am just testing the CRL support.
Enabling the option "UseSSLCRL=1" results in no working SSL connections anymore.
I have tried the pure server.pem without CRL in PEM format and with an empty CRL in PEM format (added to server.pem) which was generated by "easyrsa gen-crl" and no certificates have been revoked before.

As soon as I disable the option "UseSSLCRL=0", it works again.

What am I doing wrong?

Server says that it got no client certificate. The client gives an SSL alert: bad certificate.

Nano
I am unsure: is there

I am unsure: is there something like an empty CRL at all?

However, I would expect even when enabling the option "UseSSLCRL=1" and there is no CRL block in the server.pem that it accepts all clients which it currently does not.

Michael
This is the post i used to

This is the post i used to implement the code:

http://openssl.6102.n7.nabble.com/Is-CRL-verification-automatic-in-openS...

The exact code i used is in the 2nd post, i think you need to add the crl to the ca file, could you try that i think i might have my docs wrong..

Nano
I would like to confirm that

I would like to confirm that is working if you add the CRL (PEM format) to the CA.PEM file.
I have created a new test certificate which allowed the client to connect to the server. An empty CRL was present in the CA.PEM file.
Then I revoked this certificate, generated a new CRL and updated the CA.PEM file with this new CRL content.
If the client connects, it is correctly denied access with the following message:


20:00:03 INFO :VirtualHere Client 2.8.7 starting (Compiled: Apr 8 2015 18:44:21)
20:00:03 INFO :Found config in executable path, using D:\Tools\virtualusb\client\gui\windows\vhui.ini
20:00:03 INFO :IPC available at \\.\pipe\vhclient
20:00:03 INFO :Auto-find (Bonjour) on
20:00:03 INFO :Auto-find (Bonjour SSL) on
20:00:04 INFO :SSL_connect failed when connecting to raspberrypi.local.:17574, error:14094414:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate revoked

Thanks!

Log in or register to post comments