SSL with mutual certificate authentication

Hello!

Would it be possible to extend the SSL support with mutual certificate authentication where the client also has to show its certificate to the server so that the server can check if the client is allowed to connect?

Why?
Ease the use of clients and server when they are directly connecting over the internet without any additional tools (e.g. openvpn, stunnel, plink, etc.).

Thanks,
Christian

#3

Great! Thanks for adding the client cert support.

It would be nice if you could improve the SSL documentation a little bit:
* I had to use double backslashes for the path
* In the vhui.ini there sections: I have just put the sslPort option to the [General] section. For the SSLClientCert it is already specified to put it in the [General] section.

In the server FAQ there is a typo with double "the":
* "SSLCAFileThis file is contains the PEM encoded Certificate Authority(CA) Trusted Root Certificates used the the Server and Client SSL certificates."

Thanks again for this great product!

#4

Would it also be possible to add a CRL file (certificate revokation list) to disable certain certificates so that it is not necessary to generate a new CA cert and as a result of this, generate new client certificates for all users?

#5

OK, download 2.1.7 of the server and then add UseSSLCRL=1 to the server config.ini then append your CRL's in PEM format to the server.pem file and it should work according the openssl documentation.

#6

Great! Thanks for adding!

BTW: I am using this PKI tool for handling all the cert stuff:
git clone https://github.com/OpenVPN/easy-rsa.git

Then simply run the command "easyrsa" in the "easyrsa3" subdir.
The only thing that has to be done manually afterwards is to concatenate the public certificate and the private key (and optionally the CRL) into one PEM file. "easyrsa" also generates the CRL in PEM format which contains the revoked certificates.

#8

Hi!

I am just testing the CRL support.
Enabling the option "UseSSLCRL=1" results in no working SSL connections anymore.
I have tried the pure server.pem without CRL in PEM format and with an empty CRL in PEM format (added to server.pem) which was generated by "easyrsa gen-crl" and no certificates have been revoked before.

As soon as I disable the option "UseSSLCRL=0", it works again.

What am I doing wrong?

Server says that it got no client certificate. The client gives an SSL alert: bad certificate.

#9

I am unsure: is there something like an empty CRL at all?

However, I would expect even when enabling the option "UseSSLCRL=1" and there is no CRL block in the server.pem that it accepts all clients which it currently does not.

#11

I would like to confirm that is working if you add the CRL (PEM format) to the CA.PEM file.
I have created a new test certificate which allowed the client to connect to the server. An empty CRL was present in the CA.PEM file.
Then I revoked this certificate, generated a new CRL and updated the CA.PEM file with this new CRL content.
If the client connects, it is correctly denied access with the following message:


20:00:03 INFO :VirtualHere Client 2.8.7 starting (Compiled: Apr 8 2015 18:44:21)
20:00:03 INFO :Found config in executable path, using D:\Tools\virtualusb\client\gui\windows\vhui.ini
20:00:03 INFO :IPC available at \\.\pipe\vhclient
20:00:03 INFO :Auto-find (Bonjour) on
20:00:03 INFO :Auto-find (Bonjour SSL) on
20:00:04 INFO :SSL_connect failed when connecting to raspberrypi.local.:17574, error:14094414:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate revoked

Thanks!