oscrypto icon indicating copy to clipboard operation
oscrypto copied to clipboard

Published 20 hours ago verified publisher icon wbond

Add client authentication to tls.TLSSocket()

Open wbond opened this issue 10 years ago • 6 comments

The most complicated part of this is testing. We need to find a reliable way to test various scenarios including:

  • Successful authentication
  • Invalid authentication
  • Weak certificate authentication?

Ideally we would use something like tls-o-matic.com, however they do not provide good and bad client certs to test with.

I have no interest in creating a VM for this since it will complicate testing.

wbond avatar Oct 27 '15 14:10 wbond

You may find https://badssl.com useful :)

glyph avatar Oct 30 '15 20:10 glyph

I use badssl.com and tls-o-matic.com in the tests already. Unfortunately badssl.com doesn't have client auth, I don't believe. And tls-o-matic doesn't seem configured quite right to allow generating various test cases from.

wbond avatar Oct 30 '15 20:10 wbond

How should the client act when you have two valid client certificates in the OS trust store?

karlw00t avatar Jan 25 '16 03:01 karlw00t

Eventually I ran into issues with tls-o-matic.com downtime. Combined with the need to be able to provide tests for client certs, caused me to write https://github.com/wbond/badtls.io.

It is designed in such a way that it is fairly easy to add new configurations, although it is tightly-coupled to nginx (and socat) right now. For an enterprising soul, it shouldn't be too hard to add Apache configs.

This gets us the ability to test against a server that allows client auth and requires client auth. However, it only tests interactions with OpenSSL (through nginx for the optional auth, and socat for the required auth). While not a strict requirement for CI, it would be good to test with some other TLS servers, such as IIS, Apache, a Go server, and a Java server.

wbond avatar Jan 19 '17 10:01 wbond

simply adding comment to say that this is a feature I would like to see implemented. I've encountered an issue while trying to validate certificate on servers that requires ssl

authentication:
oscrypto.errors.TLSError: TLS handshake failed - client authentication required

jsfrerot avatar Jun 18 '20 18:06 jsfrerot

Unfortunately I don't really have time to work on oscrypto these days - it does most of what I've needed, and my projects using it are in need or work before I would have time to invest in this library.

I am open to someone taking up the torch to do the research and implementation of what APIs in OpenSSL, Security Framework (Mac) and SChannel (Windows) need to be called to set up client auth. I can certainly give pointers and review code.

wbond avatar Jun 18 '20 18:06 wbond