使用 OpenSSL 测试 SSL/TLS 客户端身份验证 [英] Testing SSL/TLS Client Authentication with OpenSSL

问题描述

我正在使用 TLS 开发客户端/服务器应用程序.我的想法是在客户端使用证书，以便服务器对其进行身份验证.服务器上还有另一个证书，因此客户端也能够验证它是否连接到正确的服务器.

I am developing a client/server application with TLS. My idea is to use a certificate on the client so it is authenticated by the server. Also another certificate on the server so the client is also able to authenticate that it is connecting to the right server.

我想先测试并使用 openssl s_server 和 openssl s_client 来验证提案.

I want first to test and use openssl s_server and openssl s_client to validate the proposal.

直到现在我已经在服务器上创建了一个 CA 私钥，我已经创建了一个根证书.我使用根证书签署了两个 CSR，因此我获得了一份服务器证书和一份客户端证书.

Until now I have created a CA private key on the server, I have created a root certificate. With the root certificate I have signed two CSR, so I get one certificate for the server and one certificate for the client.

我也在客户端安装了客户端证书+根证书，服务器端安装了服务器证书+根证书.

I also have installed the client certificate + root certificate on the client, and the server certificate + root certificate on the server.

我现在想尝试在 openssl s_server 和 openssl s_client 之间建立连接并验证它们是否相互验证，但我无法用文档来解决我的问题关于如何做.任何帮助或任何指南?

I want now to try to establish a connection between openssl s_server and openssl s_client and verify that they get both authenticated mutually, but I cannot wrap my mind with the documentation on how to do it. Any help or any guide on that?

完成设置后，下一步是针对该服务器测试自己开发的客户端，以及针对 s_client 测试我们自己开发的服务器.我们可以用它进行测试吗?

Once I have that set up, the next step is to test the own developed client against that server, and our own developed server against the s_client. Can we use that for testing?

谢谢

推荐答案

看起来您正在尝试使用 (1) s_client 和 s_server 建立信任根> 用于测试；(2) 在您的代码中使用 OpenSSL 以编程方式.

It looks like you are trying to set up a root of trust with (1) s_client and s_server for testing; and (2) programmatically within your code using OpenSSL.

要确保 openssl s_client(或 openssl s_server)使用您的根，请使用以下选项:

To ensure openssl s_client (or openssl s_server) uses your root, use the following options:

• -CAfile 选项指定根
• -cert 证书使用选项
• -key 证书私钥的选项

• -CAfile option to specify the root
• -cert option for the certificate to use
• -key option for the private key of the certificate

请参阅 s_client(1) 和s_server(1) 了解详情.

See the docs on s_client(1) and s_server(1) for details.

要在客户端以编程方式执行相同操作，您可以使用:

To do the same programmatically on the client, you would use:

• SSL_CTX_load_verify_locations 加载受信任的根
• SSL_CTX_use_certificate 指定客户端证书
• SSL_CTX_use_PrivateKey 加载客户端证书的私钥

• SSL_CTX_load_verify_locations to load the trusted root
• SSL_CTX_use_certificate to specify the client certificate
• SSL_CTX_use_PrivateKey to load the private key for the client certificate

要在服务器上以编程方式执行相同操作，您可以使用:

To do the same programmatically on the server, you would use:

• SSL_CTX_load_verify_locations 加载受信任的根
• SSL_CTX_use_certificate_chain_file 指定服务器证书
• SSL_CTX_use_PrivateKey 加载服务器证书的私钥
• SSL_CTX_set_client_CA_list 告诉客户端发送其客户端证书

• SSL_CTX_load_verify_locations to load the trusted root
• SSL_CTX_use_certificate_chain_file to specify the server certificate
• SSL_CTX_use_PrivateKey to load the private key for the server certificate
• SSL_CTX_set_client_CA_list to tell the client to send its client certificate

如果您不想为每个连接(即公共上下文)使用参数，则为每个 SSL 连接设置它，例如，SSL_use_certificate 和 SSL_use_PrivateKey.

If you don't want to use the parameters for every connection (i.e. the common context), then set it for each SSL connection with, for example, SSL_use_certificate and SSL_use_PrivateKey.

SSL_CTX_set_client_CA_list 发生了很多事情.它 (1) 将 CA 加载到服务器用于验证客户端，(2) 它使服务器在验证客户端时发送它接受的 CA 列表，以及 (3) 它触发 ClientCertificate 如果客户端拥有满足服务器接受的 CA 列表的证书，则向客户端发送消息.

A lot goes on with SSL_CTX_set_client_CA_list. It (1) loads the CA's to the server uses to verify a client, (2) it causes the server to send a list of CAs it accepts when verifing a client, and (3) it triggers the ClientCertificate message at the client if the client has a certificate that satisfies the server's accepted CAs list.

另请参阅 SSL_CTX_load_verify_locations(3) 上的文档, SSL_CTX_use_certificate(3), SSL_CTX_set_client_CA_list 和朋友.

Also see the docs on SSL_CTX_load_verify_locations(3), SSL_CTX_use_certificate(3), SSL_CTX_set_client_CA_list and friends.

最容易使用的证书和密钥格式是 PEM.PEM 是一种使用，例如，----- BEGIN CERTIFICATE -----.对于服务器证书，请确保该文件是服务器证书和客户端构建链所需的任何中间件的串联.

The easiest certificate and key format to use is PEM. PEM is the one that uses, for example, ----- BEGIN CERTIFICATE -----. For the server certificate, be sure the file is a concatenation of the server's certificate and any intermediates needed by the client to build the chain.

让服务器发送所有必需的证书是解决称为哪个目录"问题的标准做法.问题.这是 PKI 中的一个众所周知的问题，本质上是客户端不知道去哪里获取丢失的中间证书的问题.

Having the server send all required certificates is standard practice for a problem known as the "which directory" problem. Its a well known problem in PKI, and its essentially the problem that clients don't know where to go to fetch missing intermediate certificates.

总的来说，您现在知道需要使用的功能.下载一个像 nginx 这样的小型服务器，看看生产服务器如何在实践中使用它们.您甚至可以使用像 Postgres 这样的 SQL 服务器，因为它设置了 SSL/TLS 服务器.只需在源文件中搜索 SSL_CTX_load_verify_locations 或 SSL_load_verify_locations，您就会找到正确的位置.

In general, you now know the functions that you need to use. Download a small server like nginx, and see how a production server uses them in practice. You could even use a SQL server like Postgres since it sets up a SSL/TLS server. Simply search the source files for SSL_CTX_load_verify_locations or SSL_load_verify_locations, and you will find the right place.

虽然我不推荐它，但您甚至可以查看 s_client.c 和 s_server.c.它们位于 /apps.但有时代码可能难以阅读.

Though I don't recommend it, you could even look at s_client.c and s_server.c. They are located in <openssl dir>/apps. But the code can be difficult to read at times.

这篇关于使用 OpenSSL 测试 SSL/TLS 客户端身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！