Comments (13)
noxxi
commented on September 5, 2024
Client certificates work this way too. If you look with wireshark or at the traffic or use openssl s_server ... you will see, that it sends not only the leaf certificate but also the chain certificates, the same way as the server does send its certificate and chain.
But there seem to be some strange things going on with doing the verification of the client certificate containing a chain, which I can see with openssl s_server too.
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
I think you misunderstand me; I'm not saying you shouldn't need a chain at all. The problem is that for client certs, the library must figure out the chain by looking at the client cert and the certificate store. I want to give it a signle file with all the certificates concatenated, like you can with a server.
from p5-io-socket-ssl.
noxxi
commented on September 5, 2024
If you give IO::Socket::SSL a single file with SSL_cert_file and this file contains multiple certificates, then it will use the first one as the leaf certificate and the rest as chain certificates. That means all of these certificates will be transferred to the peer within the SSL handshake. This works not only for server side certificates but also for client side certificates.
If you still think I misunderstood you then I would suggest that you create some example code to show which behavior you see and which behavior you expect. Please make sure to make clear which version of IO::Socket::SSL, Net::SSLeay and OpenSSL you used with your example code.
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
Huh! Ok I did not find that to be the case, I'll be make a demo. Thanks
sent from a rotary phone, pardon my brevity
On Jan 16, 2015 12:52 AM, "Steffen Ullrich" [email protected]
wrote:
If you give IO::Socket::SSL a single file with SSL_ca_file and this file
contains multiple certificates, then it will use the first one as the leaf
certificate and the rest as chain certificates. That means all of these
certificates will be transferred to the peer within the SSL handshake. This
works not only for server side certificates but also for client side
certificates.If you still think I misunderstood you then I would suggest that you
create some example code to show which behavior you see and which behavior
you expect. Please make sure to make clear which version of
IO::Socket::SSL, Net::SSLeay and OpenSSL you used with your example code.—
Reply to this email directly or view it on GitHub
#24 (comment)
.
from p5-io-socket-ssl.
noxxi
commented on September 5, 2024
But there seem to be some strange things going on with doing the verification of the client certificate containing a chain, which I can see with openssl s_server too.
These problems vanish and verification succeeds once the client certificate has the valid purpose to be used as a client certificate, that is NetscapeCertType must be client.
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
Ugh, I can't seem to get my example to work because I can't get my server to require a client cert! Shouldn't SSL_verify_mode => SSL_VERIFY_PEER be all that's required, on the server side, to force the client to send a cert?
from p5-io-socket-ssl.
noxxi
commented on September 5, 2024
Yes, that's all what is needed and it works for me.
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
Yeah I believe it. Something else weird is going on over here. Don't worry too much about this; I suspect my environment is messed up since the way you say it should work is what I want anyway. I'll get something that shows... something at some point :)
from p5-io-socket-ssl.
noxxi
commented on September 5, 2024
You might have a look at https://github.com/noxxi/p5-io-socket-ssl/tree/issue-24/stuff to get sample code and certificates.
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
Ok, this is a step in the right direction I guess. I took your example and made a couple small changes to it. Check out the client-validation branch from https://github.com/frioux/TLS-eg. If you run make it will generate all the certs for you. If you run miniserver.pl and then just do curl -k https://localhost:8443 you'll note that you do indeed get a response, despite the fact that peer validation is enabled. I have the latest IO::Socket::SSL installed; my OpenSSL is 1.0.1f. Can you reproduce this?
from p5-io-socket-ssl.
noxxi
commented on September 5, 2024
With the option SSL_VERIFY_PEER which you used in your example the server only asks the client for a certifcate and it will fail if a client sent a certificate which could not be verified. But the client might still omit the certificate and the connection will succeed. Only with SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT it will also fail if the client did not send a certificate at all.
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
Ohhh, sorry that I missed that. Thanks for your help so far!
from p5-io-socket-ssl.
frioux
commented on September 5, 2024
ok well, I now have code that works well and works the way I want. I suspect the whole time I was just missing the SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Thanks again and sorry for the noise!
from p5-io-socket-ssl.
Related Issues (20)
- Test set_curves.t appears to be sensitive to timing HOT 6
- Failed to compile perl-IO-Socket-SSL-1.94-7 HOT 1
- IO-Socket-SSL fails tests on OpenBSD HOT 4
- When will 2.075 hit CPAN? HOT 2
- Two test failures on threaded debugging perl HOT 4
- Self-signed certificate allowed for any IP address HOT 4
- Default SSL_version should be restricted to TLS 1.2+ HOT 4
- IPv6 iPAddress subjectAltName verification fails without SSL_verifycn_name HOT 1
- Scan Flagged Potential Compliance Issue with these Certs -- Need to confirm HOT 1
- t/external/ocsp.t: Failing external test HOT 1
- Use of uninitialized value $2 in concatenation (.) or string at /usr/local/lib/perl5/site_perl/IO/Socket/SSL.pm line 792. HOT 2
- SSL Handshake fails with smtp.office365.com HOT 2
- make test fails HOT 2
- && 'unknown' ? HOT 1
- non-existent function Net::SSLeay::SSL_alert_desc_string_long called in ossl_trace HOT 1
- Prompt user to re-install Net::SSLeay HOT 3
- IO::Socket::SSL issue with https connect and https proxy HOT 1
- Add GitHub Actions HOT 1
- get_fingerprint segfaults HOT 2
- OpenSSL runtime check is too strict for >=openssl-3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from p5-io-socket-ssl.