From nobody Sun Dec 17 20:53:20 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4StZtM4Kg9z54F3W for ; Sun, 17 Dec 2023 20:53:31 +0000 (UTC) (envelope-from philipp@bureaucracy.de) Received: from smtp1.bureaucracy.de (smtp1.bureaucracy.de [IPv6:2a01:138:9000:bc42::15e4:2d4d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp1.bureaucracy.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4StZtL0mzRz3L81 for ; Sun, 17 Dec 2023 20:53:30 +0000 (UTC) (envelope-from philipp@bureaucracy.de) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of philipp@bureaucracy.de has no SPF policy when checking 2a01:138:9000:bc42::15e4:2d4d) smtp.mailfrom=philipp@bureaucracy.de; dmarc=none Received: from localhost ( [2a02:8071:7111:c540:28b:da87:d2d7:7e95]) by smtp1.bureaucracy.de (OpenSMTPD) with ESMTPSA id f35346ff (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Sun, 17 Dec 2023 20:53:21 +0000 (UTC) Message-ID: <92fed861faa79951879f10a60c2809bd.philipp@bureaucracy.de> From: satanist+freebsd@bureaucracy.de To: FreeBSD Questions List Subject: Re: Client Certificate Verification In-reply-to: <174A9481-186F-44EC-A129-96ACD985DD76@sermon-archive.info> References: <174A9481-186F-44EC-A129-96ACD985DD76@sermon-archive.info> Comments: In-reply-to Doug Hardie message dated "Sat, 16 Dec 2023 21:48:48 -0800." List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <30903.1702846400.1@hell> Content-Transfer-Encoding: quoted-printable Date: Sun, 17 Dec 2023 21:53:20 +0100 X-Spamd-Result: default: False [-1.70 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FORGED_SENDER(0.30)[satanist@bureaucracy.de,philipp@bureaucracy.de]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; ARC_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:15598, ipnet:2a01:138::/32, country:DE]; MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[freebsd]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_NO_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[bureaucracy.de]; FROM_NEQ_ENVFROM(0.00)[satanist@bureaucracy.de,philipp@bureaucracy.de]; TO_DN_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4StZtL0mzRz3L81 X-Spamd-Bar: - Hi [2023-12-16 21:48] Doug Hardie > I have an application to which clients connect using a browser over SSL. = I have a LetsEncrypt certificate for the app that lets the > client authenticate the app. However, I need to have a multitude of cli= ent certificates (one per client machine). I am generating > these certificates from a self-signed root certificate. I can get the c= lient to verify the app and provide the client certificate = > to it. The app is unable to verify the client certificate. I have not b= een able to figure out how to have openssl distribute oner > certificate (from LetsEncrytp), but verify the received client certificat= e using different certificate chain. Openssl will pass me > some of the received certificate fields. However, without certificate ve= rification I cannot be sure that those values came from a > certificate I generated. Is there a way to do this either with openssl o= r libtls? Most webserver have a way to set the CA for client auth. I.e. in nginx you can set ssl_client_certificate[0]. Other webserver have similar options. TLS and TLS client auth are quite complex. Using a more tested implementation is better then implemnting it yourself. satanist [0] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_cert= ificate