Reputation: 416
Verify client certificate using SSLServer in Ruby
Heres the code I'm using to setup the server:
require 'socket'
require 'openssl'
socket = TCPServer.new('127.0.0.1', 4433)
ssl_context = OpenSSL::SSL::SSLContext.new()
ssl_context.cert = OpenSSL::X509::Certificate.new(File.open("ssl/server/server.crt"))
ssl_context.key = OpenSSL::PKey::RSA.new(File.open("ssl/server/server.key"))
ca_cert = OpenSSL::X509::Certificate.new(File.open("ssl/ca/ca.crt"))
ssl_socket = OpenSSL::SSL::SSLServer.new(socket, ssl_context)
Thread.start(ssl_socket.accept) do |s|
puts "Connected to #{s.peeraddr.last}"
if s.peer_cert.verify(ca_cert.public_key)
puts "Certificate verified"
else
puts "Certificate invalid"
end
end
And the client:
require 'socket'
require 'openssl'
socket = TCPSocket.new('127.0.0.1', 4433)
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.cert = OpenSSL::X509::Certificate.new(File.open("ssl/client1/client1.crt"))
ssl_context.key = OpenSSL::PKey::RSA.new(File.open("ssl/client1/client1.key"))
ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
ca_cert = OpenSSL::X509::Certificate.new(File.open("ssl/ca/ca.crt"))
ssl_socket.connect
if ssl_socket.peer_cert.verify(ca_cert.public_key)
puts "Certificate checks out"
else
puts "Certificate not verified"
end
However, the server throws an exception when it tries to get the peer_cert that it cannot find. Is there a way to get the SSLServer to expect a client certificate?
Upvotes: 9
Views: 4287
Answers (1)
Reputation: 39650
Have a look at test_client_auth and start_server in the tests for OpenSSL::SSL.
From the top of my head, the only thing I see missing in your code is that you forgot to explicitly require client authentication on the server side - it is important to set the flag combination
flags = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
ctx.verify_mode = flags
so that the server will actually require client authentication and not silently accept requests that come unauthenticated. If you don't set these, the server will be happy without requesting client authentication and as a result there will also be no peer certificate available.
Upvotes: 8
Related Questions
- Why is Ruby unable to verify an SSL certificate?
- Verify self-signed TLS certificate for HTTPS in Ruby
- How to verify server SSL certificate?
- How to validate SSL certificate chain in ruby with net/http
- How to check SSL certificate encryption with ruby
- How to use a client certificate with HTTPS?
- How do I verify an X.509 certificate with Ruby OpenSSL?
- SSL Client in ruby
- Getting a web server certificate in ruby
- How can I implement custom verification of an SSL certificate in Ruby's SSLServer?