Reputation: 389
Verify Incoming SSL Using OpenSSL S_Server
We are wanting to use two way certificate authentication using open ssl.
When we open s_server as follows, the client is able to connect to my server:
openssl s_server -accept 12345 -cert our-cert.pem
(our-cert.pem is our certificate.)
This works fine. However, my requirements are:
- Verify that the incoming certificate is valid with a trusted CA, and
- Verify the common name is what we expect it to be.
I have tried this:
openssl s_server -accept 12345 -cert our-cert.pem -CApath /etc/ssl/certs/
This allows the client to connect. But my questions are:
- How can I be sure that it is validating the incomming SSL is valid and issued by a CA?
- How can I validate the Common Name is what I expect?
Upvotes: 16
Views: 40355
Answers (2)
Reputation: 3651
To test the CA use this:
/usr/local/ssl/bin/openssl s_server -accept 7569 -cert /opt/GCTI/cert/host1_cert.pem -CAfile /opt/GCTI/cert/ca_cert.pem -key /opt/GCTI/cert/host1_priv_key.pem
-cert is the public key file for this host
-key is the private key file for this host
-CAfile is the CA file, needed for self signed certificate
-port is the port number to open up
This will open up a listen port 7569 that will accept TLS connections with the certificate specified.
if the CA is not valid then the last line will look like this
Verify return code: 21 (unable to verify the first certificate)
To connect to this server, full end to end test (not really the question asked)
openssl s_client -showcerts -connect host1:7569 -CAfile /opt/GCTI/cert/ca_cert.pem
replace host1 with your actual host. This will verify the TLS service is valid and running a certificate signed by the same CA.
Upvotes: 8
Reputation: 12978
For the server, you need to add the "-Verify " option to force the client to provide a certificate. The depth is the maximum length of the client certificate chain.
That should take care of question #1.
For #2, I'm not sure there is a way to restrict by Common Name using these OpenSSL commands.
You can see the OpenSSL documentation for the server/client commands here:
Upvotes: 8
Related Questions
- openssl how to check server name indication (SNI)
- Verify a certificate chain using openssl verify
- Using openssl to get the certificate from a server
- SSL Certificate Verification programmatically
- OpenSSL Command to check if a server is presenting a certificate
- Verify SSL Certificates using Openssl in PHP
- Verifying my self-signed certificate with openSSL
- How to verify certificate chain with openssl
- verify if server certificate matches with root CA certificate
- How to use openssl to verify a certificate just like a browser?