15

We are wanting to use two way certificate authentication using open ssl.

When we open s_server as follows, the client is able to connect to my server:

openssl s_server -accept 12345 -cert our-cert.pem

(our-cert.pem is our certificate.)

This works fine. However, my requirements are:

  1. Verify that the incoming certificate is valid with a trusted CA, and
  2. Verify the common name is what we expect it to be.

I have tried this:

openssl s_server -accept 12345 -cert our-cert.pem -CApath /etc/ssl/certs/

This allows the client to connect. But my questions are:

  1. How can I be sure that it is validating the incomming SSL is valid and issued by a CA?
  2. How can I validate the Common Name is what I expect?
Cœur
  • 37,241
  • 25
  • 195
  • 267
HenryHayes
  • 368
  • 2
  • 4
  • 13

2 Answers2

8

For the server, you need to add the "-Verify " option to force the client to provide a certificate. The depth is the maximum length of the client certificate chain.

That should take care of question #1.

For #2, I'm not sure there is a way to restrict by Common Name using these OpenSSL commands.

You can see the OpenSSL documentation for the server/client commands here:

s_server

s_client

gtrig
  • 12,550
  • 5
  • 28
  • 36
7

To test the CA use this:

/usr/local/ssl/bin/openssl s_server -accept 7569 -cert /opt/GCTI/cert/host1_cert.pem -CAfile /opt/GCTI/cert/ca_cert.pem -key /opt/GCTI/cert/host1_priv_key.pem              

-cert is the public key file for this host
-key is the private key file for this host
-CAfile is the CA file, needed for self signed certificate
-port is the port number to open up

This will open up a listen port 7569 that will accept TLS connections with the certificate specified.

if the CA is not valid then the last line will look like this

Verify return code: 21 (unable to verify the first certificate)

To connect to this server, full end to end test (not really the question asked)

openssl s_client -showcerts -connect host1:7569 -CAfile  /opt/GCTI/cert/ca_cert.pem

replace host1 with your actual host. This will verify the TLS service is valid and running a certificate signed by the same CA.

oden
  • 3,461
  • 1
  • 31
  • 33