mutual-TLS / mTLS Example with certificate problem

Viktor Dukhovni openssl-users at dukhovni.org
Wed May 6 19:37:04 UTC 2020 

On Wed, May 06, 2020 at 08:44:57PM +0200, Andreas Tengicki wrote:

> I can not find a working mutual-TLS server/client example on github or
> the whole internet. Only some example for pieces of code. Communication
> via socket without and with encryption (openSSL) is working, but with
> mTLS not. I believe that I theoretical understand mTLS, but the practice
> will not work.

Postfix uses an "ask_ccert" configuration boolean to solicit client
certificates.  The associated server-side code (with the SNI ctx
side-effects elided) is:

    if (props->ask_ccert)
        verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
    SSL_CTX_set_verify(server_ctx, verify_flags,
                       tls_verify_certificate_callback);
    if (props->ask_ccert && *props->CAfile) {
        STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(props->CAfile);

        if (calist == 0) {
            /* Not generally critical */
            msg_warn("error loading client CA names from: %s",
                     props->CAfile);
            tls_print_errors();
        }
        SSL_CTX_set_client_CA_list(server_ctx, calist);
    }

Some clients will not send a certificate unless the server-side client
CA list is non-empty and includes the root CA that issued the client's
cert.


>     SSL_CTX_set_ecdh_auto(ctx, 1);
>     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
>     SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt");
>     SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", SSL_FILETYPE_PEM);
>     SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key", SSL_FILETYPE_PEM);

You SHOULD NOT specify both a certificate chain file and certificate
file.  The ..._chain_file() function loads the leaf cert, and then the
rest of the chain.

> 
> server:
> 139918902234240:error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:1915:

Your trust stores don't contain the requisite CAs and/or the chain files
are missing required intermediate certs.

-- 
    Viktor.

More information about the openssl-users mailing list