💾 Archived View for rawtext.club › ~sloum › geminilist › 002227.gmi captured on 2020-09-24 at 03:16:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2020-09-24)

-=-=-=-=-=-=-

<-- back to the mailing list

Client certificates

Alex Schroeder alex at gnu.org

Fri Jul 17 10:24:42 BST 2020

- - - - - - - - - - - - - - - - - - - 

People on the #gemini IRC channel and on Mastodon might have seen mestruggle with client certificates on the server side and it occured tome that I didn't post my solution to the list so here it is.

Background: I'm using Perl, with a library that uses OpenSSL bindingsin the background, so as you dig deeper, you soon end up reading theOpenSSL documentation...

Longer write-up:gemini://alexschroeder.ch/page/2020-07-13_Client_Certificates_and_IO%3A%3ASocket%3A%3ASSL_%28Perl%29

Short version:

In the TOFU world, the default OpenSSL setup doesn't quite work. Thedefault is that clients don't send their client certificates to theserver unless the server asks for them during the handshake. In theOpenSSL world, the server can be told to do this by telling it toverify the client certificate. When you do that, the server will thenreject the connection because the client certificate is self-signed. Inorder to force the server to still accept it, you need to provide yourown verification callback which simply returns 1 for all certificatesin the chain of certificates the client presents you with.

"SSL_set_verify() sets the verification flags for ssl to be mode andspecifies the verify_callback function to be used. If no callbackfunction shall be specified, the NULL pointer can be used forverify_callback. In this case last verify_callback set specifically forthis ssl remains."https://www.openssl.org/docs/manmaster/man3/SSL_set_verify.html

Keywords to look for in your SSL or TLS library's documentation are"peer verification", "verification mode", "verification callback", etc.

Once you have all that, then you can get the fingerprint of the clientcert on the server side and compare it to the list of fingerprints youknow (if you're trying to only allow some people access), or save thecombination of fingerprint and common name in your database if you wantto create an account (like astrobotany does), or send a 60 code back ifthere is no certificate, or a 61 code if the fingerprint doesn't matchanything in your database, or a 62 if you decide to do further testssuch as checking the validity start date or the expiry date of theclient certificate.

Hope that helps somebodyCheersAlex