client/server communication with OpenSSL && with passwords or passphrase

Jan Just Keijser janjust at nikhef.nl
Mon Jan 24 14:43:50 UTC 2022 

Hi,

On 21/01/22 11:29, Matthias Apitz wrote:
> Hello,
>
> we develop a business application as client/server with TCP/IP
> communication and a human readable protocol, which is encrypted by
> OpenSSL. The servers are C-written on top of PostgreSQL on Linux, while
> the clients are mostly Java-written and running on Win10 PCs of the
> staff, talking over the network to the servers. This runs well for many
> years already. The clients have no key material and "trust" the server
> servers. How the keys are made is explained below in some older post
> from me. The connection establishment is from the client to the server.
>
> This only as background for the actual situation.
>
> What we now want to have is strengthen the communication in some
> directions:
>
> 1) Each client should have its own key for the OpenSSL. They must be
>     built central, copied to the Win PC and installed there.
>
> 2) The usage of the key and OpenSSL communication should be protected by some
>     passphrase (like for a SSH connection the usage of the private RSA
>     key).
>
> Is there some usecase example or some tutorial for this, or any other
> hints?

yes, there is plenty of information on this out there, but the tricky 
part is the fact that you are using Java on the client side. Doing 
client authentication with Java requires knowledge of how Java uses its 
local keystores. Example code can be found here:
https://docs.oracle.com/javase/10/security/sample-code-illustrating-secure-socket-connection-client-and-server.htm

You would set up a central PKI  and issue passphrase protected keys 
using it; the "openssl CA" commands are a good starting point for this, 
otherwise I'd recommend looking into tools like "easy-rsa" , which are 
essentially wrappers around the "openssl CA" commands.

On the server side you need to ensure that it will accept connections 
only coming from clients that supply a certificate signed by the CA you 
have built for this purpose.  The OpenSSL sources provide plenty of 
examples on how to do this.

You'd then copy over the resulting client-side keys+certificates to the 
Java-based client and import it into the Java keystore. That can be done 
using the PKCS12 format, as I believe you can load a Java keystore in 
that format, e.g.

|KeyStore ks = KeyStore.getInstance("pcks12");|


see https://www.baeldung.com/java-keystore for an example.

HTH,

JJK / Jan Just Keijser



> ----- Forwarded message from Matthias Apitz <guru at unixarea.de> -----
>
> Date: Tue, 19 Feb 2019 09:57:11 +0100
> From: Matthias Apitz <guru at unixarea.de>
> To: openssl-users at openssl.org
> Subject: understand 'openssl dhparms ....'
>
>
> Hello,
>
> Some years ago (in 2012) I wrote an OpenSSL server, loosely based on the example
> sources 'openssl-examples-20020110' which nowadays still exist in
> https://github.com/smbutton/DataCommProject/tree/master/openssl-examples-20020110/openssl-examples-20020110
>
> There was also some guiding available about how to create the necessary
> key material, which goes more or less like this:
>
> --------------------------------------------------------------------------------
>
>    $ mkdir newca
>    $ cd newca
>    $ cp /usr/local/openssl/misc/CA.sh .
>    $ ./CA.sh -newca
>
>    will create a new CA. Remember the passphrase as you will need
>    it to sign certificates.
>
>    $ cp demoCA/cacert.pem ../root.pem
>
>    Second step
>
>    $ ./CA.sh -newreq
>
>    will create a certificate and a certification request.
>    Set the passphrase to 'password' as this is hard-coded in
>    the examples' source code. It is important to set the
>    [Common Name] to 'localhost'.
>
>
>    Third step
>
>    $ ./CA.sh -sign
>
>    will sign your newly created certificate. Enter the password for
>    your CA which you have defined in step 1.
>
>
>    Fourth step
>
>    $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
>    $ cd ..
>    $ ln -s localhost.pem server.pem
>    $ ln -s localhost.pem client.pem
>
>    Maybe you also want to issue
>
>    $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM
>
>    in order to update the DH parameters.
>
>
> ...
>
> --------------------------------------------------------------------------------
>
>
>
> ----- End forwarded message -----
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220124/a37fc5ac/attachment-0001.htm>

More information about the openssl-users mailing list