From nobody Sun Dec 17 20:13:51 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4StZ0f5Zzhz54B2F for ; Sun, 17 Dec 2023 20:13:54 +0000 (UTC) (envelope-from johnl@iecc.com) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "gal.iecc.com", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4StZ0f2dpCz3Jq4 for ; Sun, 17 Dec 2023 20:13:54 +0000 (UTC) (envelope-from johnl@iecc.com) Authentication-Results: mx1.freebsd.org; none Received: (qmail 83587 invoked from network); 17 Dec 2023 20:13:52 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=1467f657f5680.k2312; bh=Bez2993kRBLjsDL7GTTTXY24gxl6vhAGzeRGiwJLArk=; b=wXH4hbuYw0TdIOey8kJcJzayziGv3GDAL5EviSdVaAUosUEDDvL0NI0Ei2/x309NBEP/nYfaEnsL0MydfBewmIsBaxA3B3Vt1Ii+ujZlz85GUa1USsnWZz9E9NpiKVzzGh3aB35Hq8458msNMnAX4D49ENaOuG0vWRcBid7F2WYZumlK6sQUTNKfDPfD7+lt6P4FecqxxCLElGsueTjpqyHfVQ70HWXd2W9SACeQU2BZ20nhKgC4Q9SY4ym9fChm7mDmJV0+JrB652ymaUtcmtXHdT3yUVYQ1HJqEjUtm9oJAbcNh+G0rVS8ZmRnXYdpPZ+fw7khHnb3cveSv1IHqA== Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 17 Dec 2023 20:13:51 -0000 Received: by ary.qy (Postfix, from userid 501) id E63AE7EF41EE; Sun, 17 Dec 2023 15:13:51 -0500 (EST) Date: 17 Dec 2023 15:13:51 -0500 Message-Id: <20231217201351.E63AE7EF41EE@ary.qy> From: "John Levine" To: freebsd-questions@freebsd.org Cc: bc979@lafn.org Subject: Re: Client Certificate Verification In-Reply-To: <174A9481-186F-44EC-A129-96ACD985DD76@sermon-archive.info> Organization: Taughannock Networks X-Headerized: yes Cleverness: minimal List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4StZ0f2dpCz3Jq4 It appears that Doug Hardie said: >-=-=-=-=-=- > >I have an application to which clients connect using a browser over SSL. I have a LetsEncrypt certificate for the app that lets the client authenticate the app. >However, I need to have a multitude of client certificates (one per client machine). I am generating these certificates from a self-signed root certificate. I can get >the client to verify the app and provide the client certificate to it. The app is unable to verify the client certificate. I have not been able to figure out how to >have openssl distribute one certificate (from LetsEncrytp), but verify the received client certificate using different certificate chain. Openssl will pass me some of >the received certificate fields. However, without certificate verification I cannot be sure that those values came from a certificate I generated. Is there a way to do >this either with openssl or libtls? OpenSSL gets its list of trusted root signers from a big list in /etc/ssl so you want to add your CA to that list. See the certctl command for more details on how it's managed. Most FreeBSD systems use the ca_root_nss package to update that list, so the trick is to keep your cert from getting deleted the next time the package is updated. You might try putting your cert in /usr/local/share/certs/ rather than /usr/share/certs/trusted where the standard certs are. R's, John