关于客户端证书,TLS/SSL 究竟是如何工作的? [英] How exactly TLS/SSL works regarding client certificate?
问题描述
我阅读了 TLS 1.2 RFC,但我无法找到(或理解)客户端证书身份验证的工作原理.
I read the TLS 1.2 RFC, but i couldn't find (or understand) how client certificate authentication works.
我的理解是服务器可能会请求客户端证书,客户端应该提供它,但它到底提供了什么?客户如何证明他拥有私钥(我假设他遇到了一些挑战并对其进行了加密,但他究竟加密了什么)?
What i understood is that the server may request the client certificate and the client should provide it, but what exactly does it provide? How does the client prove he owns the private key (I assume he gets some challenge and encrypts it, but what exactly does he encrypt)?
如果有人能对协议的这一部分有所了解,我会很高兴.
I will be happy if someone could shed some light on this part of the protocol.
我想要实现的是中间人(就像 fiddler 为服务器证书所做的那样).
EDIT : What i'm trying to achieve is man in the middle (like fiddler does for server certificate).
推荐答案
我可以从 openssl wiki 复制/粘贴:https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols#Client_Authentication
I can copy/paste from openssl wiki: https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols#Client_Authentication
基本上客户端将客户端证书发送到与服务器提供的 CA DN 匹配的服务器.客户端然后发送一个证书验证,使用其私钥来证明他拥有它.
Basically Client send Client Certificate to server that match the CA DN given by Server. Client send then a Cerificate Verify that uses its private key to prove he owns it.
客户端证书身份验证要求客户端拥有证书并拥有相应的私钥.客户端从不发送自己的私钥,而是用它来证明他拥有证书中公布的相应公钥对.
A Client Certificate authentication requires the client to own a Certificate and have the corresponding private key. Client never send its private key but use it to prove he has the corresponding pair key of public key advertised within Certificate.
他消化了什么?到目前为止整个握手交换的摘要.如果服务器设法用公钥验证这一点,并且它匹配到目前为止整个握手的摘要(在服务器端计算),那么我证明两件事:
What he digests ? a digest of the whole handshakes exchanges so far. If server manage to verify this with public key and it matches digest of whole handshake so far (computed at server side) then i prove two things :
- 客户端拥有私钥(否则用公钥解密将不正确)
- 客户端位于此握手的另一端,它可以防止从另一次握手中重放客户端证书验证.
所以是的,挑战实际上是整个握手消息.
So yes challenge is in fact whole handshake messages.
这篇关于关于客户端证书,TLS/SSL 究竟是如何工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
