使用OpenSSL测试SSL / TLS客户端身份验证 [英] Testing SSL/TLS Client Authentication with OpenSSL

问题描述

我正在使用TLS开发客户端/服务器应用程序。我的想法是在客户端上使用证书，以便它被服务器认证。也是服务器上的另一个证书，所以客户端也能够验证它正在连接到正确的服务器。

I am developing a client/server application with TLS. My idea is to use a certificate on the client so it is authenticated by the server. Also another certificate on the server so the client is also able to authenticate that it is connecting to the right server.

我想首先测试和使用openssl s_server和openssl s_client

I want first to test and use openssl s_server and openssl s_client to validate the proposal.

到目前为止，我已经在服务器上创建了一个CA私钥，我已经创建了一个根证书。使用根证书我已经签署了两个CSR，所以我获得一个证书的服务器和一个证书的客户端。

Until now I have created a CA private key on the server, I have created a root certificate. With the root certificate I have signed two CSR, so I get one certificate for the server and one certificate for the client.

我也安装了客户端证书+根证书和客户端上的服务器证书+根证书。

I also have installed the client certificate + root certificate on the client, and the server certificate + root certificate on the server.

现在我想尝试在openssl s_server和openssl s_client之间建立一个连接，两个认证相互，但我不能包装我的头脑与如何做的文档。任何帮助或任何指导？

I want now to try to establish a connection between openssl s_server and openssl s_client and verify that they get both authenticated mutually, but I cannot wrap my mind with the documentation on how to do it. Any help or any guide on that?

一旦我设置，下一步是测试自己开发的客户端对该服务器，我们自己开发的服务器s_client。我们可以用它来测试吗？

Once I have that set up, the next step is to test the own developed client against that server, and our own developed server against the s_client. Can we use that for testing?

感谢

推荐答案

就像你试图用（1） s_client 和 s_server 设置一个信任根来进行测试;

It looks like you are trying to set up a root of trust with (1) s_client and s_server for testing; and (2) programmatically within your code using OpenSSL.

确保 openssl s_client （或 openssl s_server ）使用您的根目录，请使用以下选项：

To ensure openssl s_client (or openssl s_server) uses your root, use the following options:

• -CAfile 选项指定根


• -cert

• -CAfile option to specify the root
• -cert option for the certificate to use
• -key option for the private key of the certificate

请参阅 s_client（1）和 s_server（1）了解详情。

要在客户端上以同样的编程方式进行操作，您可以使用：

To do the same programmatically on the client, you would use:

• SSL_CTX_load_verify_locations 可载入受信任的根


• SSL_CTX_use_certificate 指定客户端证书


• SSL_CTX_use_PrivateKey 可以加载客户端证书的私钥

• SSL_CTX_load_verify_locations to load the trusted root
• SSL_CTX_use_certificate to specify the client certificate
• SSL_CTX_use_PrivateKey to load the private key for the client certificate

要在服务器上以编程方式执行同样的操作，您可以使用：

To do the same programmatically on the server, you would use:

• SSL_CTX_load_verify_locations 以载入受信任的根


• SSL_CTX_use_certificate_chain_file 指定服务器证书


• SSL_CTX_use_PrivateKey 可载入服务器证书的私钥


• SSL_CTX_set_client_CA_list 告诉客户端发送其客户端证书

• SSL_CTX_load_verify_locations to load the trusted root
• SSL_CTX_use_certificate_chain_file to specify the server certificate
• SSL_CTX_use_PrivateKey to load the private key for the server certificate
• SSL_CTX_set_client_CA_list to tell the client to send its client certificate

如果您不想使用每个连接的参数即公共上下文），然后为每个SSL连接设置它，例如 SSL_use_certificate 和 SSL_use_PrivateKey 。

If you don't want to use the parameters for every connection (i.e. the common context), then set it for each SSL connection with, for example, SSL_use_certificate and SSL_use_PrivateKey.

很多事情随着 SSL_CTX_set_client_CA_list 而继续。它（1）加载服务器用来验证客户端的CA，（2）它使服务器发送它在验证客户端时接受的CA列表，（3）它触发 ClientCertificate

A lot goes on with SSL_CTX_set_client_CA_list. It (1) loads the CA's the the server uses to verify a client, (2) it causes the server to send a list of CAs it accepts when verifing a client, and (3) it triggers the ClientCertificate message at the client if the client has a certificate that satisfies the server's accepted CAs list.

如果客户端具有满足服务器接受的CA列表的证书，请在客户端显示 https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.htmlrel =nofollow> SSL_CTX_load_verify_locations（3）， SSL_CTX_use_certificate（3）， SSL_CTX_set_client_CA_list 和朋友。

Also see the docs on SSL_CTX_load_verify_locations(3), SSL_CTX_use_certificate(3), SSL_CTX_set_client_CA_list and friends.

使用的最简单的证书和密钥格式是PEM。 PEM是使用例如 ----- BEGIN CERTIFICATE ----- 的程序。对于服务器证书，请确保文件是服务器证书和客户端构建链所需的任何中间体的并置。

The easiest certificate and key format to use is PEM. PEM is the one that uses, for example, ----- BEGIN CERTIFICATE -----. For the server certificate, be sure the file is a concatenation of the server's certificate and any intermediates needed by the client to build the chain.

使服务器发送所有必需的证书是一个称为哪个目录问题的标准做法。它是PKI中的一个众所周知的问题，其本质上是客户不知道去哪里去获取缺失的中间证书的问题。

Having the server send all required certificates is standard practice for a problem known as the "which directory" problem. Its a well known problem in PKI, and its essentially the problem that clients don't know where to go to fetch missing intermediate certificates.

一般来说，你现在知道你需要使用的函数。下载像 nginx 这样的小型服务器，并查看生产服务器在实践中如何使用它们。您甚至可以使用像 Postgres 这样的SQL服务器，因为它设置了SSL / TLS服务器。只需在源文件中搜索 SSL_CTX_load_verify_locations 或 SSL_load_verify_locations ，即可找到正确的位置。

In general, you now know the functions that you need to use. Download a small server like nginx, and see how a production server uses them in practice. You could even use a SQL server like Postgres since it sets up a SSL/TLS server. Simply search the source files for SSL_CTX_load_verify_locations or SSL_load_verify_locations, and you will find the right place.

虽然我不推荐它，你甚至可以看看 s_client.c 和 s_server.c 。它们位于< openssl dir> / apps 中。但是代码可能很难阅读。

Though I don't recommend it, you could even look at s_client.c and s_server.c. They are located in <openssl dir>/apps. But the code can be difficult to read at times.

这篇关于使用OpenSSL测试SSL / TLS客户端身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！