On Wed, May 06, 2020 at 08:44:57PM +0200, Andreas Tengicki wrote:
> I can not find a working mutual-TLS server/client example on github or
> the whole internet. Only some example for pieces of code. Communication
> via socket without and with encryption (openSSL) is working, but with
> mTLS not. I believe that I theoretical understand mTLS, but the practice
> will not work.
Postfix uses an "ask_ccert" configuration boolean to solicit client
certificates. The associated server-side code (with the SNI ctx
side-effects elided) is:
if (props->ask_ccert)
verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(server_ctx, verify_flags,
tls_verify_certificate_callback);
if (props->ask_ccert && *props->CAfile) {
STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(props->CAfile);
if (calist == 0) {
/* Not generally critical */
msg_warn("error loading client CA names from: %s",
props->CAfile);
tls_print_errors();
}
SSL_CTX_set_client_CA_list(server_ctx, calist);
}
Some clients will not send a certificate unless the server-side client
CA list is non-empty and includes the root CA that issued the client's
cert.
> SSL_CTX_set_ecdh_auto(ctx, 1);
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
> SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt");
> SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", SSL_FILETYPE_PEM);
> SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key", SSL_FILETYPE_PEM);
You SHOULD NOT specify both a certificate chain file and certificate
file. The ..._chain_file() function loads the leaf cert, and then the
rest of the chain.
>
> server:
> 139918902234240:error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:1915:
Your trust stores don't contain the requisite CAs and/or the chain files
are missing required intermediate certs.
--
Viktor.
