Sunday, 11 December 2011

Even More OpenSSL - Client Certificates

In these posts (1, 2), I discussed using OpenSSL as a simple SSL client to help troubleshoot SSL connections. I did not make any mention of client certificates because, to be honest, we hadn't got that far in our testing, but now that we have and, surprisingly enough, ran into trouble I thought I would discuss using client certificates with OpenSSL. 

In essence this is the command you need to run:
openssl s_client -CApath <pathtoCAcerts> -cert <clientcert> -key <clientcertkey> -pass <keypassphrase> -connect <serveripaddress>:443
where you can substitute CApath for CAfile if you only care about a single CA. The key and pass switches are optional, depending on your client certificate, e.g. if your client certificate has the key in the same file and no pass phrase you can omit them both.
openssl s_client -CAfile <pathtoCAcert> -cert <clientcert> -connect <serveripaddress>:443
You'll get something like this, showing only an extract from the response:
..
..
..
..
SSL handshake has read 1548 bytes and written 295 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 92220000BD6498AD833C46B2F3660E6E8131F1233EF25B59A68311394CCBDB8F
    Session-ID-ctx:
    Master-Key: 717135CF0F753CAA1CE67A2713356A05D5C4AB32EE71AAA39F09C1696F865B727D36ACECC9CF8529A0A61C036E1607C7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1323622751
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
You now can try to communicate with the server, e.g. try to get a page:
GET /home.htm
This should return the contents of home.htm. In actual fact you get the whole server response, not just the page, as is to be expected:
depth=1 DC = com, DC = dev, CN = TESTAuthority
verify return:1
depth=0 C = US, ST = York, L = York, O = York, OU = York, CN = server.dev.com
verify return:1
read R BLOCK
HTTP/1.1 200 OK
Date: Sun, 11 Dec 2011 17:15:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 310
..
..
..
..
If you try without the client cert (e.g. openssl s_client -CAfile <pathtoCAcert> -connect <serveripaddress>:443), you will get an error page back (at least from IIS you do), when you try to to communicate with the server (e.g. GET /home.htm). Extract from response:
<h2>HTTP Error 403.7 - Forbidden: SSL client certificate is required.<br>Internet Information Services (IIS)</h2>

No comments:

Post a Comment