Re: Client Certificate Verification

From: <satanist+freebsd_at_bureaucracy.de>
Date: Sun, 17 Dec 2023 20:53:20 UTC
Hi

[2023-12-16 21:48] Doug Hardie <bc979@lafn.org>
> I have an application to which clients connect using a browser over SSL.  I have a LetsEncrypt certificate for the app that lets the
>  client authenticate the app.  However, I need to have a multitude of client certificates (one per client machine).  I am generating
>  these certificates from a self-signed root certificate.  I can get the client to verify the app and provide the client certificate 
> to it.  The app is unable to verify the client certificate.  I have not been able to figure out how to have openssl distribute oner
> certificate (from LetsEncrytp), but verify the received client certificate using different certificate chain.  Openssl will pass me
> some of the received certificate fields.  However, without certificate verification I cannot be sure that those values came from a
> certificate I generated.  Is there a way to do this either with openssl or libtls?

Most webserver have a way to set the CA for client auth. I.e. in nginx
you can set ssl_client_certificate[0]. Other webserver have similar
options. TLS and TLS client auth are quite complex. Using a more tested
implementation is better then implemnting it yourself.

satanist

[0] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate