Geek Answers Handbook

Allow connections only by the client with certificates signed by the organizational center

I have an OpenSSL server and client.

The server allows connections with only one certificate using the SSL_CTX_load_verify_locations(ctx, cert, NULL) function, but this is not enough. I want to enable connections for all clients with a certificate signed by an organization certification authority.

What should i use?

I read about the given path to the folder with the "good" client certificates, but actually this is not what I want, and it does not work for me either.

Any ideas?

0
ssl openssl ssl-certificate verification
source share
1 answer

SSL_CTX_load_verify_locations(ctx, cert, NULL) ... I want to enable connections for all clients with a certificate signed by an organization certification authority.

What should i use?

On the server, you need to call SSL_CTX_set_client_CA_list so that the server SSL_CTX_set_client_CA_list CA list (and starts the client). In your case, the list is one CA β€” the organization’s CA or subordinate CA within the organization.

You can find the OpenSSL man page in SSL_CTX_set_client_CA_list(3) . It was also discussed on the SSL_CTX_load_verify_locations(3) page.

Here's how to find an example of its use (OpenSSL is famous for self-documenting code):

 $ cd openssl-1.0.2a $ grep -R SSL_CTX_set_client_CA_list * | grep -v doc ... apps/s_server.c: SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); ...

Here's how OpenSSL uses its apps/s_server.c :

 char* caFile = NULL; ... else if (strcmp(*argv, "-CAfile") == 0) { caFile = *(++argv); ... if ((!SSL_CTX_load_verify_locations(ctx, caFile, caPath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { ERR_print_errors(bio_err); } ... if (caFile != NULL) { SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(caFile));

You can find the manual pages for SSL_load_client_CA_file(3) .

Associated with the OpenSSL mailing list: Does STACK_OF(X509_NAME) need to be free when using SSL_load_client_CA_file?

Assuming your PKI organization looks something like this:

  ++++++++++++++++ + Organization + + Root CA + ++++++++++++++++ | +-------------------+------------------+ | | | +--------------+ +--------------+ +--------------+ | Client Auth | | Server Auth | | Other ... | | Sub CA | | Sub CA | | Sub CA | +--------------+ +--------------+ +--------------+

You might want to send a subordinate CA Client Authentication . This limits damage if something happens in one of the other CA arcs.

The problem is that Diginotar, where Root CA becomes compromised. In this case, you need to burn all the PKI to the ground and start all over again.

Subordinate CAs will have basicConstraint=critical, CA=true . But they will not be signed by themselves. Rather, they will be signed or certified by Organizational Root CA

0
source share

More articles:


All Articles