asio-ssl-mutual-auth icon indicating copy to clipboard operation
asio-ssl-mutual-auth copied to clipboard

Published 20 hours ago verified publisher icon AdamMagaluk

Client certificates

Open mat-sepahi opened this issue 8 years ago • 4 comments

Dear Adam, I am not an SSL expert, but loading all certificates in the client side intuitively seems illogical for me. For example, when browsers connect to servers with SSL, they don't -and can't- have all certificates at hand. In the official 'boost' example, as far as I can see, the client only reads a public key just for verification, and as I practically experimented, this single file can be excluded if you don't care about verification. After all, I found your code very helpful, specially your scripts for certificate generation that clearly demonstrated how each file is used in the server code, something that was quite unclear in the boost documentation. Thank you very much.

mat-sepahi avatar Nov 12 '16 16:11 mat-sepahi

Thanks for the feedback. Keep in mind this repo was created just as an experiment/reference when i was learning boost's asio library, don't take it too literally.

The idea was that both the client and server were verified by each other, so they would both need each other's public key at startup.

AdamMagaluk avatar Nov 14 '16 09:11 AdamMagaluk

Both endpoints can have a certificate file, or just the server or just the client or neither. From HTTPS we all know the one where just the server has a certificate chain file (in most cases), but in some cases the server is also allowed to ask for a client certificate. There also are "anonymous cipher suits" which do not check certificates (e.g. DH_anon), which nobody uses, because of security implications.

5cript avatar Nov 14 '16 11:11 5cript

Thanks a lot. It was very instructive, specially the scenario of the server asking the client for a certificate. It fits the nature of a project I'm currently working on.

mat-sepahi avatar Nov 15 '16 09:11 mat-sepahi

I know it's been a long time but @AdamMagaluk thank you so much for making this project, it was super instructive

For anyone else who comes across this and wonders about client certificates, I modified build_certs.sh like this:

#!/bin/bash

# create certificate authority private key
openssl genrsa -out ca_certs/ca.key 2048

# create server and client private keys
openssl genrsa -out server_certs/server.key 2048
openssl genrsa -out client_certs/client.key 2048

# create certificate authority certificate
openssl req -x509 -new -key ca_certs/ca.key -days 365 -out ca_certs/ca.crt -subj /CN=CA

# create signing requests
openssl req -new -key server_certs/server.key -out tmp/server.csr -subj /CN=Company
openssl req -new -key client_certs/client.key -out tmp/client.csr -subj /CN=Company

# create server and client certificates
openssl x509 -req -in tmp/server.csr -CA ca_certs/ca.crt -CAkey ca_certs/ca.key -CAcreateserial -days 365 -out server_certs/server.crt
openssl x509 -req -in tmp/client.csr -CA ca_certs/ca.crt -CAkey ca_certs/ca.key -days 365 -out client_certs/client.crt

# generate diffie-hellman parameters
openssl dhparam -out dh/dhparam.pem 2048

# below can be used to verify certificates
openssl verify -CAfile ca_certs/ca.crt server_certs/server.crt
openssl verify -CAfile ca_certs/ca.crt client_certs/client.crt
openssl verify -CAfile ca_certs/ca.crt ca_certs/ca.crt

KeXu001 avatar Oct 30 '20 16:10 KeXu001