Project

General

Profile

Bug #2868

Certificate pinning support for client certificates

Added by iselind 10 months ago. Updated 9 months ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2018-02-22
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Today it seems my only option for enabling client certificate verification is by doing something along these lines:

    ssl.ca-file = "/etc/lighttpd/ca-client.pem" 
    ssl.verifyclient.activate = "enable" 
    ssl.verifyclient.enforce = "enable" 
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" 

The problem is that ssl.ca-file require a complete chain of trust. Which force me to get the client certificate signed by one of the trusted CAs in my target system's trusted CA bundle. This is problematic in my case. It would be sufficient if i can use certificate pinning instead which bypass the trusted CA checks completely and allow me to specify which CA i trust.

I cannot find any option where i can set a certificate pin instead. Is this feature really lacking or am i just missing something in the configuration?

client.key (1.64 KB) client.key Client cert keys iselind, 2018-02-22 14:28
lighttpd.conf (574 Bytes) lighttpd.conf my lighttpd configuration iselind, 2018-02-22 14:28
server.key (1.64 KB) server.key HTTPS server keys iselind, 2018-02-22 14:28
client.pem (1.93 KB) client.pem Client cert iselind, 2018-02-22 14:28
server.pem (1.93 KB) server.pem HTTPS server cert iselind, 2018-02-22 14:28
intermediate.cert.pem (1.99 KB) intermediate.cert.pem intermediate CA cert iselind, 2018-02-22 14:28
ca.cert.pem (2.02 KB) ca.cert.pem root CA cert iselind, 2018-02-22 14:28
server_combined.pem (3.57 KB) server_combined.pem server.{key,pem} combined into one with cat iselind, 2018-02-22 14:28
ca-chain.cert.pem (4.01 KB) ca-chain.cert.pem ca.cert.pem and intermediate.cert.pem combined with cat iselind, 2018-02-22 14:28

History

#1

Updated by flynn 10 months ago

It is no problem to use self signed CA for client certificates you just need to add the root certificate to the pem file pointed to by ssl.ca-file.

The client certificates are validated against the certificates in ssl.ca-file, not the ones in OS e.g. in /etc/ssl/certs/.

What is your problem with this solution?

#2

Updated by iselind 10 months ago

When I put my own CA chain file in ssl.ca-file, I get the issue that OpenSSL complain that there is a self signed certificate in the pem I point to. I interpret this as OpenSSL "expect" ssl.ca-file should contain the intermediate CA certs only and the final step to the actual Root CA be found in /etc/ssl/certs. Based on your reply this isn't the case then.

If I on the other hand point to the intermediate CA cert only in ssl.ca-file, then OpenSSL complain that it cannot validate the entire chain of trust, as my own Root CA isn't known to Lighttpd in this case.

I'll attach my configuration and certs in hope that you can spot my mistake.

#3

Updated by iselind 10 months ago

To clarify a bit on the error i get, it's this: SSL verify error:num=26:unsupported certificate purpose

#4

Updated by iselind 10 months ago

The client certificates seem to verify just fine:

lighttpd % openssl verify -CAfile ca.cert.pem -untrusted intermediate.cert.pem client.pem 
client.pem: OK
lighttpd % openssl verify -CAfile ca-chain.cert.pem client.pem 
client.pem: OK

An example of how i try to access the HTTPS + client cert server:

curl --key ca/private/client.key.pem --cert client.pem --cacert ca.cert.pem "https://localhost:3333" 

#5

Updated by gstrauss 10 months ago

am i just missing something in the configuration?

You are missing multiple things.

First, never post private certificates to a web forum.

Second, please use the forums to ask questions.
https://redmine.lighttpd.net/projects/lighttpd/boards

This is not a bug. If it were a missing feature, it would be a missing feature.

Third, please try reading the documentation.
https://redmine.lighttpd.net/projects/lighttpd/wiki
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions#mod_openssl-TLSSSL-using-openssl

Hint: look at the documentation for config options that start with ssl.*

Finally: please try to understand the options available and try things out before posting questions in the forum.

#6

Updated by iselind 10 months ago

gstrauss wrote:

am i just missing something in the configuration?

You are missing multiple things.

First, never post private certificates to a web forum.

They are not private certificates, they come from a toy CA never used for anything other than my learning.

Second, please use the forums to ask questions.
https://redmine.lighttpd.net/projects/lighttpd/boards

This is not a bug. If it were a missing feature, it would be a missing feature.

My original question was if this is a missing feature or if i'm missing something in the configuration. The answer seems to be that i'm missing something in the documentation.

Third, please try reading the documentation.
https://redmine.lighttpd.net/projects/lighttpd/wiki
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions#mod_openssl-TLSSSL-using-openssl

Hint: look at the documentation for config options that start with ssl.*

I have read them, believe me. It might just be that the documentation isn't as clear to me as it's for you...

Finally: please try to understand the options available and try things out before posting questions in the forum.

I have been trying for two days and cannot get it correct.

I'll try the forum instead. Perhaps i have better luck there...

#7

Updated by gstrauss 10 months ago

Based on your posts in the forum, you're trying to do way too many things at once.

Please take the standard build and get it working to serve a simple static file. Then make one change, test it, and if it works, make another change. If it does not work, troubleshoot until it works, and then continue. Rinse and repeat.

#8

Updated by gstrauss 9 months ago

Quoting from: https://stackoverflow.com/questions/11884731/openssl-invalid-purpose

There's an extension keyUsage which specifies what can be done with the certificate. Note that some programs are not using this field.

From X509 documentation:

X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
the supplied certificate cannot be used for the specified purpose.

Man page x509v3_config(5) lists possible values for the parameter and also for another called extendedKeyUsage

#9

Updated by gstrauss 9 months ago

Another explanation:

http://www.openldap.org/lists/openldap-software/200704/msg00129.html

quote:

From the information provided so far, all that's certain is that he has a TLS certificate that is intended for use as a web server authentication certificate. The fact that he's trying to use it in both the server and the client configuration is the problem; the TLS library checks the certificate purpose. The client sent a server cert to the server, and the server won't allow it to be used for client authentication.

So, if the goal is to use certificate-based authentication, then the solution is to generate a proper certificate without any usage restrictions on it, or one that says it can be used for client authentication.

#10

Updated by iselind 9 months ago

Thanks a lot, your right. The user certificate was indeed holding key usage for an HTTPS server. Everything works after fixing that.

Thanks a lot, you can close this ticket

#11

Updated by gstrauss 9 months ago

  • Status changed from New to Invalid

Not a bug in lighttpd; marking ticket invalid.

Were this discussion in the support forums (https://redmine.lighttpd.net/projects/lighttpd/boards), I would mark this "[Solved]"

Also available in: Atom