mutual-TLS / mTLS Example with certificate problem

Raja Ashok rashok.svks at gmail.com
Thu May 7 10:12:11 UTC 2020 

Hi Andreas,

Below repo has examples to use OpenSSL for mTLS (mutual certificate
authentication) with sample certificates. You can refer this.

https://github.com/TalkWithTLS/TalkWithTLS/blob/master/src/sample/openssl_tls13_server_both_auth.c
https://github.com/TalkWithTLS/TalkWithTLS/blob/master/src/sample/openssl_tls13_client_both_auth.c

On Thu, May 7, 2020 at 12:36 AM Andreas Tengicki <tengicki at autopoll.de>
wrote:

> Hello,
>
> I can not find a working mutual-TLS server/client example on github or
> the whole internet. Only some example for pieces of code. Communication
> via socket without and with encryption (openSSL) is working, but with
> mTLS not. I believe that I theoretical understand mTLS, but the practice
> will not work.
>
> The whole (small) project is here:
> https://github.com/deckard-rick/mTLS-example
>
> Server Side
> =========
>
> I initialize the SSL-context without errors with (sample, error handling
> is not in this email)
>
>     SSL_CTX_set_ecdh_auto(srvCtx->ctx, 1);
>     SSL_CTX_set_verify(srvCtx->ctx, SSL_VERIFY_PEER or
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
>     SSL_CTX_load_verify_locations(srvCtx->ctx,NULL,"../certs"); //????
>     SSL_CTX_use_certificate_chain_file(srvCtx->ctx,
> "../certs/server/ca.crt");
>     SSL_CTX_use_certificate_file(srvCtx->ctx,
> "../certs/server/server.crt", SSL_FILETYPE_PEM);
>     SSL_CTX_use_PrivateKey_file(srvCtx->ctx,
> "../certs/server/server.key", SSL_FILETYPE_PEM);
>     SSL_CTX_check_private_key(srvCtx->ctx);
>
> the certificates are:
>
> ca.crt:  Version: 3 (0x2)
>     Serial Number:
> 5a:fc:74:e6:28:28:0e:df:5b:7a:50:9e:a8:18:e6:04:42:f0:fd:8d
>     Signature Algorithm: sha256WithRSAEncryption
>     Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
> 42CA
>      Validity  Not Before: May  6 09:21:23 2020 GMT  Not After : May  6
> 09:21:23 2022 GMT
>      Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN
> = 42CA
>
> server.crt: Version: 1 (0x0)
>     Serial Number:
> 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:23
>     Signature Algorithm: sha256WithRSAEncryption
>     Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
> 42CA
>     Validity  Not Before: May  6 09:30:23 2020 GMT   Not After : May  6
> 09:30:23 2021 GMT
>     Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
> debiandevdesktop01.sdctec.lokal
>
> debiandevdesktop01.sdctec.lokal is the FQDN of the development server
>
> Client Side
> =========
>
>     SSL_CTX_set_ecdh_auto(ctx, 1);
>     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
>     SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt");
>     SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt",
> SSL_FILETYPE_PEM);
>     SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key",
> SSL_FILETYPE_PEM);
>
> ca.crt:  (see server)
>
> client.crt: Version: 1 (0x0)
>    Serial Number:
> 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:24
>    Signature Algorithm: sha256WithRSAEncryption
>    Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA
>    Validity  Not Before: May  6 09:35:51 2020 GMT   Not After : May  6
> 09:35:51 2021 GMT
>    Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN =
> CLIENT001
>
> Error:
> =====
>
> If the client connects the server there are the following errors:
>
> server:
> 139918902234240:error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:1915:
>
> client:
> 139918902234240:error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:1915:
>
> I think, there is a problem with the certificates. But where is the
> problem and why?
>
> The statement to create the certificates are in the project ./certs/
> read.me
>
> Thanks for any help, I'm looking since days for a solution and I believe
> it is only a small bug.
>
> Best regards
>
>   Andreas
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200507/b517277b/attachment.html>

More information about the openssl-users mailing list