Bug #2868
closedCertificate pinning support for client certificates
Description
Today it seems my only option for enabling client certificate verification is by doing something along these lines:
ssl.ca-file = "/etc/lighttpd/ca-client.pem"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
The problem is that ssl.ca-file require a complete chain of trust. Which force me to get the client certificate signed by one of the trusted CAs in my target system's trusted CA bundle. This is problematic in my case. It would be sufficient if i can use certificate pinning instead which bypass the trusted CA checks completely and allow me to specify which CA i trust.
I cannot find any option where i can set a certificate pin instead. Is this feature really lacking or am i just missing something in the configuration?
Files
Updated by flynn over 6 years ago
It is no problem to use self signed CA for client certificates you just need to add the root certificate to the pem file pointed to by ssl.ca-file.
The client certificates are validated against the certificates in ssl.ca-file, not the ones in OS e.g. in /etc/ssl/certs/.
What is your problem with this solution?
Updated by iselind over 6 years ago
- File lighttpd.conf lighttpd.conf added
- File client.key client.key added
- File server.key server.key added
- File client.pem client.pem added
- File server.pem server.pem added
- File intermediate.cert.pem intermediate.cert.pem added
- File ca.cert.pem ca.cert.pem added
- File server_combined.pem server_combined.pem added
- File ca-chain.cert.pem ca-chain.cert.pem added
When I put my own CA chain file in ssl.ca-file, I get the issue that OpenSSL complain that there is a self signed certificate in the pem I point to. I interpret this as OpenSSL "expect" ssl.ca-file should contain the intermediate CA certs only and the final step to the actual Root CA be found in /etc/ssl/certs. Based on your reply this isn't the case then.
If I on the other hand point to the intermediate CA cert only in ssl.ca-file, then OpenSSL complain that it cannot validate the entire chain of trust, as my own Root CA isn't known to Lighttpd in this case.
I'll attach my configuration and certs in hope that you can spot my mistake.
Updated by iselind over 6 years ago
To clarify a bit on the error i get, it's this: SSL verify error:num=26:unsupported certificate purpose
Updated by iselind over 6 years ago
The client certificates seem to verify just fine:
lighttpd % openssl verify -CAfile ca.cert.pem -untrusted intermediate.cert.pem client.pem client.pem: OK lighttpd % openssl verify -CAfile ca-chain.cert.pem client.pem client.pem: OK
An example of how i try to access the HTTPS + client cert server:
curl --key ca/private/client.key.pem --cert client.pem --cacert ca.cert.pem "https://localhost:3333"
Updated by gstrauss over 6 years ago
am i just missing something in the configuration?
You are missing multiple things.
First, never post private certificates to a web forum.
Second, please use the forums to ask questions.
https://redmine.lighttpd.net/projects/lighttpd/boards
This is not a bug. If it were a missing feature, it would be a missing feature.
Third, please try reading the documentation.
https://redmine.lighttpd.net/projects/lighttpd/wiki
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions#mod_openssl-TLSSSL-using-openssl
Hint: look at the documentation for config options that start with ssl.*
Finally: please try to understand the options available and try things out before posting questions in the forum.
Updated by iselind over 6 years ago
gstrauss wrote:
am i just missing something in the configuration?
You are missing multiple things.
First, never post private certificates to a web forum.
They are not private certificates, they come from a toy CA never used for anything other than my learning.
Second, please use the forums to ask questions.
https://redmine.lighttpd.net/projects/lighttpd/boardsThis is not a bug. If it were a missing feature, it would be a missing feature.
My original question was if this is a missing feature or if i'm missing something in the configuration. The answer seems to be that i'm missing something in the documentation.
Third, please try reading the documentation.
https://redmine.lighttpd.net/projects/lighttpd/wiki
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ConfigurationOptions#mod_openssl-TLSSSL-using-opensslHint: look at the documentation for config options that start with ssl.*
I have read them, believe me. It might just be that the documentation isn't as clear to me as it's for you...
Finally: please try to understand the options available and try things out before posting questions in the forum.
I have been trying for two days and cannot get it correct.
I'll try the forum instead. Perhaps i have better luck there...
Updated by gstrauss over 6 years ago
Based on your posts in the forum, you're trying to do way too many things at once.
Please take the standard build and get it working to serve a simple static file. Then make one change, test it, and if it works, make another change. If it does not work, troubleshoot until it works, and then continue. Rinse and repeat.
Updated by gstrauss over 6 years ago
Quoting from: https://stackoverflow.com/questions/11884731/openssl-invalid-purpose
There's an extension keyUsage which specifies what can be done with the certificate. Note that some programs are not using this field.
From X509 documentation:
X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
the supplied certificate cannot be used for the specified purpose.
Man page x509v3_config(5) lists possible values for the parameter and also for another called extendedKeyUsage
Updated by gstrauss over 6 years ago
Another explanation:
http://www.openldap.org/lists/openldap-software/200704/msg00129.html
quote:
From the information provided so far, all that's certain is that he has a TLS certificate that is intended for use as a web server authentication certificate. The fact that he's trying to use it in both the server and the client configuration is the problem; the TLS library checks the certificate purpose. The client sent a server cert to the server, and the server won't allow it to be used for client authentication.
So, if the goal is to use certificate-based authentication, then the solution is to generate a proper certificate without any usage restrictions on it, or one that says it can be used for client authentication.
Updated by iselind over 6 years ago
Thanks a lot, your right. The user certificate was indeed holding key usage for an HTTPS server. Everything works after fixing that.
Thanks a lot, you can close this ticket
Updated by gstrauss over 6 years ago
- Status changed from New to Invalid
Not a bug in lighttpd; marking ticket invalid.
Were this discussion in the support forums (https://redmine.lighttpd.net/projects/lighttpd/boards), I would mark this "[Solved]"
Also available in: Atom