Have a simple server and client that uses openssl. Application program is in C++ and uses openssl-1.1.0g source code that I built myself. The simple case where I supply client and server certificates and private keys is working fine. Handshake happens fine and data transfer works great too. Now I have two more requirements:
Need to disable client authentication on server. client will have a CA certificate but no private key. Client will do server auth.
Don't know how to tell openssl api not to ask for client certificate
[Update] This is fixed. In the conf file, under the client section tried using keyword VerifyCAFile for CA certificate and removed the PrivateKey. Got handshake success without any code change.
Disable client and server auth. Both sides doesn't have certificate or private keys.
Tried using anon section in the conf file which doesn't have the certificate or the key specified. Also set the cipher string is aNULL in this section of the conf file. aNULL is the list of all anonymous ciphers according the page here:
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
But this doesn't work.
Here is the setup -
Server:
SSL_CTX_new(TLS_server_method()) - create server ctx
CONF_modules_load_file - load conf file
SSL_CTX_config - get section for server
BIO_new_socket((int)socket, BIO_CLOSE) - create socket BIO
SSL_new(ctx) - create ssl
SSL_set_bio - set bio in ssl
SSL_set_accept_state(_ssl); - set accept for server
SSL_do_handshake - do handshake
Client:
SSL_CTX_new(TLS_client_method()) - create server ctx
CONF_modules_load_file - load conf file
SSL_CTX_config - get section for client
BIO_new_socket((int)socket, BIO_CLOSE) - create socket BIO
SSL_new(ctx) - create ssl
SSL_set_bio - set bio in ssl
SSL_set_connect_state(ssl) - set connect for client
SSL_do_handshake - do handshake
Conf file:
testApp = test_sect
[test_sect]
# list of configuration modules
ssl_conf = ssl_sect
[ssl_sect]
server = server_section
client = client_section
anon = anon_section
[server_section]
CipherString = DEFAULT
Certificate = <path to server.cer>
PrivateKey = <path to server.key>
[client_section]
CipherString = DEFAULT
Certificate = <path to client.cer>
PrivateKey = <path to client.key>
[anon_section]
CipherString = aNULL
On the server, you want something like:
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
I thought this was the default, however.
Related
I have grpc server in Java and client in C++, I want to connect grpc client to server in tls mode without using certificates on client side. I am using the default methods and trying to connect but getting grpc code as 12.
creds = grpc::SslCredentials(grpc::SslCredentialsOptions());
Note:- No issue with proto files as it works fine in insecure mode
Which cert is your server using? If it's self-signed or not signed by a standard CA (whose root cert should be present in the standard trust store) then you need to make sure you are using a custom root cert on the client
I am using GNU libmicrohttpd to establish HTTPS server. My requirement is that the server and the client both authenticate during the TLS handshake however what I observe is that even if the client sends empty certificate the connection is accepted.
in wireshark I see that the server requests certificate and the client sends certificate with len 0. How to make the microhttpd to not accept that case - the certificate must always be verified with the provided CA pem?
if(!(server_handle = MHD_start_daemon(flags, port, NULL, NULL,
&mhttpd_layer::access_handler_callback, callback_data,
// now, continue with the options
MHD_OPTION_NOTIFY_COMPLETED, &mhttpd_layer::request_completed_callback, l_callback_data,
MHD_OPTION_SOCK_ADDR, (sockaddr*) &(it->addr),
MHD_OPTION_CONNECTION_TIMEOUT, it->conn_timeout,
MHD_OPTION_CONNECTION_LIMIT, it->conn_limit,
MHD_OPTION_PER_IP_CONNECTION_LIMIT, it->per_ip_conn_limit,
// HTTPS certificate options
MHD_OPTION_HTTPS_MEM_KEY, it->https_key_buff.data(),
MHD_OPTION_HTTPS_MEM_CERT, it->https_cert_buff.data(),
MHD_OPTION_HTTPS_MEM_TRUST, it->https_turst_ca_buff.data(),
MHD_OPTION_END)))
Maybe I should manually on the access callback retrieve the certificate as described by their tutorial (https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security) ? In this case why do I provide the CA - this doesn't seem the proper way to me?
I want to print PostScripts via CUPS/HTTPS on Cloud Foundry.
It's working when I'm using HTTP but fails for HTTPS with gorouter's log:
http: TLS handshake error from ...
My cipher_suites:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
I tried to set router.logging_level to debug (default is info) but it changes nothing...
Is there any chance to get more information?
What is the most detailed log level for gorouter?
I solved my problem.
In my case mutual TLS was enabled on gourouter:
By default, Gorouter requests but does not require client certificates in TLS handshakes.
https://docs.cloudfoundry.org/adminguide/securing-traffic.html#gorouter_mutual_auth
Checking if mTLS is enabled
1. Widows SCHANNEL event logging
Add a registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
EventLogging REG_DWORD = 3
https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/
Now you should find event logs that server asks for client certificate but it can't be found.
2. curl
Look at the bold lines:
curl -I -v -H "Connection: close" https://your-app.cloud
About to connect() to your-app.cloud port 443 (#0)
Connected to your-app.cloud port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
NSS: client certificate not found (nickname not specified)
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
3. openssl
Look at the bold lines:
openssl s_client -connect your-app.cloud:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
...
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
Disable Gorouter mTLS
Change Gorouter properties using CF deployment manifest:
- name: router
- name: gorouter
release: routing
properties:
router:
forwarded_client_cert: always_forward
client_cert_validation: none
Now you can check if mTLS is enabled again.
Note that these settings didn't for the routing version 0.164.0 but for 0.178.0 it works as expected.
I have server.pem and a server.jks for a back-end which is my client (soapui). I initialize ssl server context in order to enable simple authentication for my web service as follow:
int ssl_connection_flag = SOAP_SSL_DEFAULT; // Simple authentication
int soap_result = soap_ssl_server_context(soap_object,
ssl_connection_flag,//SOAP_SSL_NO_AUTHENTICATION,//m_ssl_connection_flag,
m_key_file.c_str(),//Settings::instance()->get_cert_mngr_tls_certificate_path().c_str(),//"D:\\ICA\\Release\\currentStore\\TLSCertificate.pem",//m_ssl_private_key_file_path.c_str(),/* keyfile: required when server must authenticate to clients (see SSL docs on how to obtain this file) */
l_recover.c_str(),//"changeit",//PWDHelper::instance()->retrieve_pwd("k-tls-key").c_str(),//"changeit",//"12345678",//"server_key_password",/* password to read the key file (not used with GNUTLS) */
m_ca_certs_file.c_str(),//Settings::instance()->get_cert_mngr_ca_path().c_str(),//"D:\\ICA\\Release\\currentStore\\CA.pem",//"D:\\CertificatBrahim\\CAs.pem",//m_ssl_ca_file_path.c_str(), /* optional cacert file to store trusted certificates */
NULL, /* optional capath to directory with trusted certificates */
NULL,/* DH file name or DH key len bits (minimum is 512, e.g. "512") to generate DH param, if NULL use RSA */
NULL,
NULL);
The trouble is, when I look for in wireshark after sending my request from SoapUI to a remote PC where is located my server. The decoding looks like there is a mutual authentication going on.
But when I change
SOAP_SSL_DEFAULT
with
SOAP_SSL_NO_AUTHENTICATION
, and sent the same request, in wireshark it looks like there is a simple (only server authentication) going on.
But that confuses me, because if I follow gSoap documentation, the TLS/SSL option SOAP_SSL_NO_AUTHENTICATION, disable both client and server authentication.
Then my question is what am I doing wrong?
thanks in advance for your responses.
Best regards.
The SOAP_SSL_NO_AUTHENTICATION flag on the server side does not prevent the client from requesting the server to authenticate. This flag disables the requirement for a peer to authenticate to the requesting side. In your case the client is the requesting side and the flag is set at the server side.
What I have:
WAS traditional 9.0 with EJB web service;
webservice client - java application;
SSL configured for only 9449 port as described here (one way http://www.ibm.com/developerworks/webservices/tutorials/ws-radsecurity3/ws-radsecurity3.html)
I need SSL mutual authentication, so I go to Quality of protection (QoP) settings, and set Client authentication = Required.
Up to this point all works fine.
Problem is that my EJB application needs client certificate's common name to obtain a user ID, which it will use in business logic. And here I failed.
Code snippet (web service side):
MessageContext context = wsContext.getMessageContext();
HttpServletRequest req = (HttpServletRequest)context.get(MessageContext.SERVLET_REQUEST) ;
System.out.println("!! isSecure " + req.isSecure());
X509Certificate[] certificates = (X509Certificate[]) req.getAttribute("java.servlet.request.X509Certificate");
if (null != certificates && certificates.length > 0) {
...
} else {
System.out.println("!! Empty certificates");
}
isSecure returnd true, but I get "Empty certificates" message.
My guess is maybe the reason is in following. When I output the SSL configuration used on 9449 port, the first line is "com.ibm.ssl.clientAuthenticationSupported = false" while through Admin Console it is set as Required.
com.ibm.websphere.ssl.JSSEHelper jsseHelper = com.ibm.websphere.ssl.JSSEHelper.getInstance();
java.util.Properties props = jsseHelper.getProperties("WebServiceConfigure");
System.out.println("!!! WebServiceConfigure = " + props.toString());
You might want to try the "direct connect" certificate properties. This was created to address intermediate (SSL-terminating) proxies (like a web server with plug-in) that issued a certificate different than the ultimate client. This property is
com.ibm.websphere.ssl.direct_connection_peer_certificates
You can determine whether you're getting the certificate from direct connect peer or proxied peer via com.ibm.websphere.webcontainer.is_direct_connection.
See also: WAS 9 doc page.