From nobody Sun Dec 17 05:48:48 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4StBpp6jJwz546nX for ; Sun, 17 Dec 2023 05:49:06 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from mail.sermon-archive.info (sermon-archive.info [47.181.130.121]) by mx1.freebsd.org (Postfix) with ESMTP id 4StBpp07hMz4FKJ for ; Sun, 17 Dec 2023 05:49:05 +0000 (UTC) (envelope-from bc979@lafn.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of bc979@lafn.org designates 47.181.130.121 as permitted sender) smtp.mailfrom=bc979@lafn.org; dmarc=none Received: from smtpclient.apple (unknown [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 4StBpf5KkVz2fjVg for ; Sat, 16 Dec 2023 21:48:58 -0800 (PST) From: Doug Hardie Content-Type: multipart/alternative; boundary="Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6" List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Client Certificate Verification Message-Id: <174A9481-186F-44EC-A129-96ACD985DD76@sermon-archive.info> Date: Sat, 16 Dec 2023 21:48:48 -0800 To: FreeBSD Questions List X-Mailer: Apple Mail (2.3731.700.6) X-Virus-Scanned: clamav-milter 1.2.0 at mail X-Virus-Status: Clean X-Spamd-Result: default: False [-2.60 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ONCE_RECEIVED(0.10)[]; DMARC_NA(0.00)[lafn.org: no valid DMARC record]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_DKIM_NA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:5650, ipnet:47.181.128.0/18, country:US]; TO_DN_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4StBpp07hMz4FKJ X-Spamd-Bar: -- --Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I have an application to which clients connect using a browser over SSL. = I have a LetsEncrypt certificate for the app that lets the client = authenticate the app. However, I need to have a multitude of client = certificates (one per client machine). I am generating these = certificates from a self-signed root certificate. I can get the client = to verify the app and provide the client certificate to it. The app is = unable to verify the client certificate. I have not been able to figure = out how to have openssl distribute one certificate (from LetsEncrytp), = but verify the received client certificate using different certificate = chain. Openssl will pass me some of the received certificate fields. = However, without certificate verification I cannot be sure that those = values came from a certificate I generated. Is there a way to do this = either with openssl or libtls? -- Doug --Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii I have an = application to which clients connect using a browser over SSL.  I = have a LetsEncrypt certificate for the app that lets the client = authenticate the app.  However, I need to have a multitude of = client certificates (one per client machine).  I am generating = these certificates from a self-signed root certificate.  I can get = the client to verify the app and provide the client certificate to it. =  The app is unable to verify the client certificate.  I have = not been able to figure out how to have openssl distribute one = certificate (from LetsEncrytp), but verify the received client = certificate using different certificate chain.  Openssl will pass = me some of the received certificate fields.  However, without = certificate verification I cannot be sure that those values came from a = certificate I generated.  Is there a way to do this either with = openssl or libtls?

-- Doug

= --Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6--