仅允许客户端通过组织 CA 签署的证书进行连接 [英] Allow connections only by client with certificates signed by organizational CA

问题描述

我有 OpenSSL 服务器和客户端.

I have OpenSSL server and client.

服务器只允许通过函数SSL_CTX_load_verify_locations(ctx, cert, NULL) 连接一个证书，但这还不够.我想为所有具有由组织 CA 签名的证书的客户端启用连接.

Server allows connections only with one certificate by function SSL_CTX_load_verify_locations(ctx, cert, NULL), but it is not enough. I want to enable connections for all clients with certificate with was signed by organizational CA.

我应该用什么?

我已经阅读了有关使用良好"客户端证书设置文件夹路径的内容，但这实际上不是我想要的，而且对我也不起作用.

I have read about set path to folder with "good" client certificates, but it's actually not what I want and it's not working for me too.

有什么想法吗?

推荐答案

SSL_CTX_load_verify_locations(ctx, cert, NULL)... 我想为所有具有由组织 CA 签署的证书的客户端启用连接.

SSL_CTX_load_verify_locations(ctx, cert, NULL)... I want to enable connections for all clients with certificate with was signed by organizational CA.

我应该用什么?

在服务器端，需要调用SSL_CTX_set_client_CA_list让服务器发送CA列表(并触发客户端).在您的情况下，列表是一个 CA - 组织的 CA 或组织内的从属 CA.

On the server, you need to call SSL_CTX_set_client_CA_list to have the server send the CA list (and trigger the client). In your case, the list is one CA - the organization's CA or a subordinate CA within the organization.

您可以在 SSL_CTX_set_client_CA_list(3).它也在 SSL_CTX_load_verify_locations(3) man 上进行了讨论页面.

You can find the OpenSSL man page at SSL_CTX_set_client_CA_list(3). Its also discussed on the SSL_CTX_load_verify_locations(3) man page.

以下是如何找到使用它的示例(OpenSSL 以自我记录代码而闻名):

Here's how to find an example of using it (OpenSSL is famous for self documenting code):

$ cd openssl-1.0.2a
$ grep -R SSL_CTX_set_client_CA_list * | grep -v doc
...
apps/s_server.c:    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
...

以下是 OpenSSL 的使用方式apps/s_server.c:

Here's how OpenSSL uses it apps/s_server.c:

char* caFile = NULL;
...

else if (strcmp(*argv, "-CAfile") == 0) {
    caFile = *(++argv);
...

if ((!SSL_CTX_load_verify_locations(ctx, caFile, caPath)) ||
    (!SSL_CTX_set_default_verify_paths(ctx))) {
        ERR_print_errors(bio_err);
}
...

if (caFile != NULL) {
    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(caFile));

您可以找到 SSL_load_client_CA_file(3) 的手册页.

You can find the man pages for SSL_load_client_CA_file(3).

相关，在 OpenSSL 邮件列表上:是否使用SSL_load_client_CA_file时需要释放STACK_OF(X509_NAME)?

Related, on the OpenSSL mailing list: Does STACK_OF(X509_NAME) need to be free'd when using SSL_load_client_CA_file?

假设您的组织 PKI 看起来像这样:

Assuming your organization PKI looks something like so:

                     ++++++++++++++++
                     + Organization +
                     +    Root CA   +
                     ++++++++++++++++
                            |
        +-------------------+------------------+
        |                   |                  |
+--------------+    +--------------+   +--------------+
|  Client Auth |    | Server Auth  |   |  Other ...   |
|    Sub CA    |    |    Sub CA    |   |    Sub CA    |
+--------------+    +--------------+   +--------------+

您可能想要发送 Client Authentication 从属 CA.这限制了在其他 CA 弧之一发生某些情况时的损坏.

You probably want to send the Client Authentication subordinate CA. That limits damage in case something happens in one of the other CA arcs.

问题案例是 Diginotar，其中根 CA 受到威胁.在这种情况下，您需要将整个 PKI 烧毁并重新开始.

The problem case is that of Diginotar, where the Root CA becomes compromised. In that case, you need to burn the entire PKI to the ground and start over.

从属 CA 将具有 basicConstraint=critical, CA=true.但是它们不会是自签名的.相反，它们将由组织根 CA 签名或认证.

The subordinate CAs will have basicConstraint=critical, CA=true. But they will not be self signed. Rather, they will be signed or certified by the Organizational Root CA.

这篇关于仅允许客户端通过组织 CA 签署的证书进行连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！