<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div dir="auto" style="">Hi Viktor,</div>
<div dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
thabks for the quick reply.</div>
<div dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
> <span style="font-family: -apple-system, HelveticaNeue; font-size: 14.6667px; display: inline !important;">Is this context created just once, or once per (SSL *) connection? Is </span><span style="font-family: -apple-system, HelveticaNeue; font-size: 14.6667px; display: inline !important;">the
server single-threaded or multi-threaded?</span></div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
<br>
</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
I have a 1:1 relation of context and connection, since it is used in a wrapper around a tcp socket to provide TLS support. When a new socket is created, a new ctx will be created and load the various configuration options, including PKI informationfrom an
external API. Not optimal but easy. </div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
Currently ST, but what are the caveats if I need to later go MT?</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
<br>
</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
I have quickly rewritten my configuration steps to only set-up a CTX and then create an SSL upon the first call for do_handshake / send. But, it does.not seem to have solved (all?) of my issues. I still see a handshake (for now only server side auth with Verify_None)
and the client fails to verify the server certificate. Need to investigate further, but wanted to reply to you before laying it off for the day.</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
Any tips on how to load / set the CA and leaf cert + chain are very welcome.</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
<br>
</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
Greetings</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
Jochen</div>
<div id="mail-editor-reference-message-container" dir="auto" style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="auto" style="">
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" style="font-size: 11pt;"><strong>Von:</strong> openssl-users <openssl-users-bounces@openssl.org> im Auftrag von openssl-users-request@openssl.org <openssl-users-request@openssl.org><br>
<strong>Gesendet:</strong> Montag, 30. Januar 2023, 13:00<br>
<strong>An:</strong> openssl-users@openssl.org <openssl-users@openssl.org><br>
<strong>Betreff:</strong> openssl-users Digest, Vol 98, Issue 23<br>
</div>
<br>
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Send openssl-users mailing list submissions to<br>
openssl-users@openssl.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
openssl-users-request@openssl.org<br>
<br>
You can reach the person managing the list at<br>
openssl-users-owner@openssl.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of openssl-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Setting Up CertStore for TLS Verification (Kreissl, Jochen)<br>
2. Re: Setting Up CertStore for TLS Verification (Viktor Dukhovni)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 30 Jan 2023 04:00:13 +0000<br>
From: "Kreissl, Jochen" <Jochen.Kreissl@vector.com><br>
To: "openssl-users@openssl.org" <openssl-users@openssl.org><br>
Subject: Setting Up CertStore for TLS Verification<br>
Message-ID:<br>
<DB3PR0102MB3369CBFFFAC859A57C1E5F27FED39@DB3PR0102MB3369.eurprd01.prod.exchangelabs.com><br>
<br>
Content-Type: text/plain; charset="windows-1252"<br>
<br>
Hi,<br>
<br>
I am facing some uncertainties regarding how to properly set up SSL_CTX & SSL structs, so that certificate based, (mutual) authentication works (TLS 1.3).<br>
<br>
* Certificates are loaded via an external lib and I get them as binary ASN.1. After parsing them into proper openssl X509 structs, I load them into a X509_Store with X509_STORE_add_cert<br>
* I use the SSL_CTX_set1_cert_store method to load the thus constructed store into an SSL_CTX<br>
* I also use SSL_add_client_CA to add all CA/Roots names to the Server list of available Cas (to be sent to the Client when initiating mutual auth)<br>
* I have set the Verify flag to Verify_Peer via SSL_set_verify<br>
* An instance's chain cert are added via SSL_add1_chain_cert<br>
* An instance's key and leaf cert are added via SSL_use_certificate and SSL_use_PrivateKey respectively<br>
<br>
Q1: Is here anything I forget with regards to the general set-up of the verification process?<br>
Q2: Assume the Verification Certificates are loaded into SSL_CTX after an SSL struct was already created from it. Will the SSL struct "know" of the Certificate Store and access it properly? Or would I have to create a new SSL struct from SSL_CTX in order for
this configuration to take effect?<br>
<br>
Thanks everyone<br>
Jochen<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://mta.openssl.org/pipermail/openssl-users/attachments/20230130/bd67e29b/attachment-0001.htm">https://mta.openssl.org/pipermail/openssl-users/attachments/20230130/bd67e29b/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sun, 29 Jan 2023 23:50:03 -0500<br>
From: Viktor Dukhovni <openssl-users@dukhovni.org><br>
To: openssl-users@openssl.org<br>
Subject: Re: Setting Up CertStore for TLS Verification<br>
Message-ID: <Y9dMe+5859tv6amI@straasha.imrryr.org><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
On Mon, Jan 30, 2023 at 04:00:13AM +0000, Kreissl, Jochen wrote:<br>
<br>
> I am facing some uncertainties regarding how to properly set up<br>
> SSL_CTX & SSL structs, so that certificate based, (mutual)<br>
> authentication works (TLS 1.3).<br>
> <br>
> * Certificates are loaded via an external lib and I get them as<br>
> binary ASN.1. After parsing them into proper openssl X509<br>
> structs, I load them into a X509_Store with X509_STORE_add_cert<br>
> * I use the SSL_CTX_set1_cert_store method to load the thus<br>
> constructed store into an SSL_CTX<br>
<br>
Is this context created just once, or once per (SSL *) connection? Is<br>
the server single-threaded or multi-threaded?<br>
<br>
> * I also use SSL_add_client_CA to add all CA/Roots names to the<br>
> Server list of available Cas (to be sent to the Client when<br>
> initiating mutual auth)<br>
<br>
Do the acceptable CA names vary from connection to connection? If not,<br>
and the SSL_CTX is shared, why not preload the CA list into the shared<br>
context?<br>
<br>
> * I have set the Verify flag to Verify_Peer via SSL_set_verify<br>
<br>
This can be done last, after all other setup is complete.<br>
<br>
> * An instance's chain cert are added via SSL_add1_chain_cert<br>
> * An instance's key and leaf cert are added via<br>
> SSL_use_certificate and SSL_use_PrivateKey respectively<br>
<br>
Do the key and certificate vary from (SSL *) connection to connection?<br>
If not, why not preload the certificate and private key into the shared<br>
SSL_CTX?<br>
<br>
> Q1: Is here anything I forget with regards to the general set-up of<br>
> the verification process?<br>
<br>
Are client certificates unconditionally required? If so, and you want<br>
to terminate handshakes with anonymous clients promptly, you'll also<br>
want the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag in SSL_CTX_set_verify()<br>
or SSL_set_verify(). With TLS 1.3, you can alternatively enable<br>
post-handshake authentication by setting the SSL_VERIFY_POST_HANDSHAKE<br>
flag.<br>
<br>
> Q2: Assume the Verification Certificates are loaded into SSL_CTX after<br>
> an SSL struct was already created from it. Will the SSL struct<br>
> "know" of the Certificate Store and access it properly?<br>
<br>
No, that's too late. SSL connection operations expect the SSL_CTX<br>
to be immutable (apart from its reference count), clone much of<br>
the content, and shallow-copy the rest. Why would you pre-create<br>
the SSL connection handle???<br>
<br>
> Or would I have to create a new SSL struct from SSL_CTX in order<br>
> for this configuration to take effect?<br>
<br>
A server typically handles more than connection at a time, and ends up<br>
creating SSL connections on the fly, with the context already in place.<br>
The use case for connection before context initialisation is unclear<br>
(and in any case doesn't work).<br>
<br>
-- <br>
Viktor.<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
openssl-users mailing list<br>
openssl-users@openssl.org<br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of openssl-users Digest, Vol 98, Issue 23<br>
*********************************************<br>
<br>
</div>
</span></font><br>
</div>
</body>
</html>