Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL Client Authentication #246

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Conversation

charno
Copy link
Contributor

@charno charno commented Sep 26, 2017

In this Pull Request, SSL Client authentication is added to the library. Beside, the possibility to explicitly select cipher suites is also added. To allow client authentication to work with BoringSSL (OpenSSL Fork), renegotiation_mode has to be set.

Since asio does not abstract all necessary methods, a dependency to openssl/ssl.h has been introduced.

Note: To test with boringssl, please also apply the change at chriskohlhoff/asio#238 to asio (not yet merged upstream)

About licensing: You can use this changes also with your commercial license.

@ben-crowhurst
Copy link
Member

Thanks for this PR. I will review shortly when time permits and have it mainlined.

@ben-crowhurst
Copy link
Member

Any update on the windows compatible version?

@charno
Copy link
Contributor Author

charno commented Nov 6, 2017

I don't have a windows development machine, so no.
Having a short look on the failed test I'm not sure if the test failed because of this commit. In the test, SSL is not even used. Maybe you can have a look at this on a windows machine and give me some feedback? I'm happy to make changes or test again, but as said, without a windows machine I can't debug windows-specific errors.

@peanutwolf
Copy link

Hello! Currently I'm trying to use client authentication on server side. I've merged this PR with with base on my local brunch.
Restbed was built on windows machine with openssl dependency. As a client Mozilla Firefox was simply used.

I got some strange server behavior. For the first GET request certificates were checked properly, but for the second and next requests from same client ssl handshake failed.

Incoming 'GET' request from '[::1]:65249' for route '/resource'.
Failed SSL handshake, 'session id context uninitialized'.
Failed SSL handshake, 'session id context uninitialized'.
Failed SSL handshake, 'session id context uninitialized'.
Failed SSL handshake, 'session id context uninitialized'.

SSLSettings were initialized like this:

ssl_settings->set_client_authentication_enabled(true);
ssl_settings->set_certificate_authority_pool( Uri("file://./CA/") );
ssl_settings->set_private_key( Uri( "file://./keys/key.key" ) );
ssl_settings->set_certificate( Uri( "file://./keys/certificate.crt" ) );

I tried to apply the solution from here: https://stackoverflow.com/q/38658473
It worked, but still it seems to be not the right solution.
Is there any other way to solve this problem or may it be an issue of treating asio ssl socket in wrong way?

@charno
Copy link
Contributor Author

charno commented Jan 7, 2018

Hi, I'm currently in holidays, thus the slow response. I have originally tested the patch on linux with restbed client and server, and I did not get this error. If you can post the source of a minimal server where the error occours, I can have a look at it.

One more question: Did you test if this error also happens without enabled ssl client cert authentication, and without this patch? As far as I am aware (not very far ;-)), the ssl session ticket functionality is independent of client authentication.

@peanutwolf
Copy link

Here is the minimal server code i used to test client authentication: https://gist.github.com/peanutwolf/22bf5096723892d0af175d583b33952b

I also converted client's PEM certificate file and private key to PKCS#12 format to use with my client:
openssl pkcs12 -export -out client.p12 -inkey tmp/ssl/client/key.key -in tmp/ssl/client/certificate.crt -certfile tmp/ssl/CA/ca.pem

And installed client.p12 to Firefox Quantum 57.0.4 (64-bit).

As I said first request passes successfully, but after i refresh page it gives a error.
Service accepting HTTPS connections at 'https://[::]:443'. Resource published on route '/resource'. Incoming 'GET' request from '[::1]:52416' for route '/resource'. Failed SSL handshake, 'session id context uninitialized'.

Could you please check this issue on Unix platform? I'm not shure if it can be reproduced with openssl s_client, so its better to use a browser.

@charno
Copy link
Contributor Author

charno commented Jan 10, 2018

Hi,

Can you please check if this problem also happens without client authentication patches? Then we can decide if I (patch author) or the people of Corvusoft have to look at the problem.

Thanks
Christof

@peanutwolf
Copy link

I've checked for this problem on Corvusoft:master and it doesn't occur. However sever doesn't verify peer without client_authentication setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants