Re: client - server authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dhaval Thakar wrote: | Hi list, Hello Daval, | i have a hosted site over internet for the branch users, which i want to | restrict over internet, | e.g only certain computers will be allowed to access site. | i want to restrict it to only branch computers. | is it possible using ssl/tls to allow particular computers to access web? | like access will be granted only if necessary certificate is installed on | the client client's web browser. Let's rephrase your requirements: You have a server using SSL/TLS. This server should grant access to only a selected list of clients. You are able to install data on these clients. The solution is simple: * create an own CA (for example with the CA.sh or CA.pl scripts. * for every client: ~ * create a client key ~ * create a certification request ~ * sign the certification request with your CA ~ * transfer the certificate (and key if created by the CA) * configure your server to use mandatory client verification. * configure your server to only use your CA certificate to ~ verify client certificates. * optionally: ~ * for every client that should not be able to connect the ~server any more: ~* revoke the client certificate ~ * create a certificate revocation list (CRL) ~ * distribute this CRL to the server ~ * configure the server to use the CRL on verification. * test your environment. * sit back and enjoy But you do need a basic knowledge about certificates. Especially you must be aware how to differentiate between a CA certificate, a server certificate and a client certificate. Then I suggest to play with the CA.sh (or CA.pl) and the openssl.cnf that is used by these scripts... | kindly note: these users are connecting from dynamic ips. site has | authentication. Doesn't matter, the server verifies if client has a certificate. If you can ensure that every entity connecting the server has an own certificate, you could configure authentication to use the data supplied in the client certificate. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIsb1S2iGqZUF3qPYRAiF+AJ48UtNGVB3TWJQXvNKshW5AqWX1/gCcCDib slJvLrhEVq4NgeDR0x1suPQ= =AdyF -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
client - server authentication
Hi list, i do not have much experience in ssl/tls certificates & i know almost nothing about it. i have a hosted site over internet for the branch users, which i want to restrict over internet, e.g only certain computers will be allowed to access site. i want to restrict it to only branch computers. is it possible using ssl/tls to allow particular computers to access web? like access will be granted only if necessary certificate is installed on the client client's web browser. kindly provide me guideline to restrict access. kindly note: these users are connecting from dynamic ips. site has authentication. Thanks & Regards Dhaval __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate Chains & server vs client/server authentication
Mike Zeoli wrote: > > First, thanks for all your help, Steve. > > I'll add the appropriate extensions to the certificate. > > To follow up on what you said below, Why does the "intermediate" CA > certificate only show up as invalid when doing client and server > authentication, and not when doing server authentication only? (This is why > I assumed my certificates were valid, and that there was a problem with c/s > authentication) > This is connected with how the verification code builds a certificate chain. It first uses as many certificates as possible from a list of unstrusted CAs included in the chain. When it can't add any more it continues by looking up certificates from local storage. Root CAs always come from local storage. It then checks any untrusted certificates against the specific purpose, but assumes that trusted ones are OK. So if we have a chain cert->intermediate->root and intermediate has invalid purpose it depends on what chain it is asked to verify. If it is just pass the cert then it will lookup the rest from local storage and bypass the checks. If however it is passed cert and intermediate it will end up checking the intermediate purpose. This behaviour is a little unusual and I suppose it should be consistent: either always check certificates or always trust certificates if they are in local storage. Always checking chains however causes problems because there are lots of invalid certificates that need to be worked round. Not checking trusted CAs is a better solution but that needs some changes to the verify code. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Chains & server vs client/server authentication
Mike Zeoli wrote: > > Hello Everyone, > > > > As stated before, this same certificate chain gets verified just fine when > doing server authentication only. > > I have debugged into the library and know the following additional > information: > - In x509_vrfy.c:check_chain_purpose(), in the server auth. only example, > ctx->last_trusted is set to 1, while for my client and server authentication > example, it is set to 2. The function is dying on my intermediate > certificate. if last_trusted == 1. it just checks the validity of the > server certificate, but when last_trusted==2, it assumes that my > intermediate certificate is also untrusted, this causes X509_check_purpose() > to return 1 which then sets ctx->error to X509_V_ERR_INVALID_CA. > > Also, I do use load_verify_locations to load a trusted certificates file > which contains both the root and intermediate CA certificates. > Oddly enough it is telling you the intermediate CA is invalid. The actual criteria it uses are mentioned in the 'x509' utility documentation and there is a flag to check this yourself. OpenSSL in the past tolerated invalid CAs but now it doesn't since it is a dirty great big security whole. I suggest you fix your intermediate CA by adding the appropriate extensions to it, its probably missing the CA flag of basicConstraints. If you can't work out the problem then post the certificate to the list. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate Chains & server vs client/server authentication
Hello Everyone, I have a chain of version 1 certificates. "Root CA" signs "Intermediate CA", which signs "client1" and "server1" certificates. I also have two example client/server pairs. The first example only does server authentication. The other example does both client and server authentication. The server authentication example works just fine, but the client/server authentication fails when trying to verify the server1 certificate chain. Here's the actual example (this is the client with the info callback tracking the progress) before/connect initialization before/connect initialization SSLv2/v3 write client hello A SSLv3 read server hello A SSLv3 read server certificate B SSLv3 read server certificate B SSLv3 read server certificate B Here is the error stack. 1068:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:.\ssl\s3_clnt.c:764: As stated before, this same certificate chain gets verified just fine when doing server authentication only. I have debugged into the library and know the following additional information: - In x509_vrfy.c:check_chain_purpose(), in the server auth. only example, ctx->last_trusted is set to 1, while for my client and server authentication example, it is set to 2. The function is dying on my intermediate certificate. if last_trusted == 1. it just checks the validity of the server certificate, but when last_trusted==2, it assumes that my intermediate certificate is also untrusted, this causes X509_check_purpose() to return 1 which then sets ctx->error to X509_V_ERR_INVALID_CA. Also, I do use load_verify_locations to load a trusted certificates file which contains both the root and intermediate CA certificates. Any help would greatly appreciated. Thanks, Mike Zeoli __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client-server authentication in Apache Web Server with OpenSSL.Here it is!
Lenya - replay of the doc you sent. At 05:20 PM 2000-03-28 +0400, you wrote: >Here is the translation of a paper many of you requested. >Some changes where made since the russian variant appeared >2 days ago. Check it. > >Best regards, > Lenya mailto:[EMAIL PROTECTED] > Client-server authentication inApache Web Server with OpenSSL.doc
Client-server authentication in Apache Web Server with OpenSSL. Here it is!
Here is the translation of a paper many of you requested. Some changes where made since the russian variant appeared 2 days ago. Check it. Best regards, Lenya mailto:[EMAIL PROTECTED] Client-server authentication in Apache Web Server with OpenSSL.doc
Re: Client-server authentication.
Have a look at apps/s_{server,client} that should give you a starting point. Carles Xavier Munyoz Baldó schrieb: > > Hello, > > I have an SSL client-server application in which the server > authenticates to the client sending its certificate in the SSL handsake, > but the client doesn't authenticates to the server. > Fo my SSL client-server aplication, I need that both authenticates each > other. > > How can I do this ? > How can I make the server request the client certificate and validates > it ? > I've done lot of testing but get nothing ... :( > > May anyone help me ? > --- > CTV-JET > Carles Xavier Munyoz Baldó / [EMAIL PROTECTED] > http://www.ctv.es/USERS/carles > Dpto. Sistemas / System Department > Clave pública PGP / PGP public KEY > http://www.ctv.es/PGP-STAFF/carles.html > Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96 > --- > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client-server authentication.
Hello, I have an SSL client-server application in which the server authenticates to the client sending its certificate in the SSL handsake, but the client doesn't authenticates to the server. Fo my SSL client-server aplication, I need that both authenticates each other. How can I do this ? How can I make the server request the client certificate and validates it ? I've done lot of testing but get nothing ... :( May anyone help me ? --- CTV-JET Carles Xavier Munyoz Baldó / [EMAIL PROTECTED] http://www.ctv.es/USERS/carles Dpto. Sistemas / System Department Clave pública PGP / PGP public KEY http://www.ctv.es/PGP-STAFF/carles.html Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96 --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]