Hi Viktor,
thabks for the quick reply.
> Is this context created just once, or once per (SSL *) connection? Is the
server single-threaded or multi-threaded?
Von: openssl-users <openssl-users-bounces@xxxxxxxxxxx> im Auftrag von openssl-users-request@xxxxxxxxxxx <openssl-users-request@xxxxxxxxxxx>
Gesendet: Montag, 30. Januar 2023, 13:00
An: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Betreff: openssl-users Digest, Vol 98, Issue 23
Gesendet: Montag, 30. Januar 2023, 13:00
An: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Betreff: openssl-users Digest, Vol 98, Issue 23
Send openssl-users mailing list submissions to
openssl-users@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-request@xxxxxxxxxxx
You can reach the person managing the list at
openssl-users-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."
Today's Topics:
1. Setting Up CertStore for TLS Verification (Kreissl, Jochen)
2. Re: Setting Up CertStore for TLS Verification (Viktor Dukhovni)
----------------------------------------------------------------------
Message: 1
Date: Mon, 30 Jan 2023 04:00:13 +0000
From: "Kreissl, Jochen" <Jochen.Kreissl@xxxxxxxxxx>
To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Subject: Setting Up CertStore for TLS Verification
Message-ID:
<DB3PR0102MB3369CBFFFAC859A57C1E5F27FED39@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="windows-1252"
Hi,
I am facing some uncertainties regarding how to properly set up SSL_CTX & SSL structs, so that certificate based, (mutual) authentication works (TLS 1.3).
* Certificates are loaded via an external lib and I get them as binary ASN.1. After parsing them into proper openssl X509 structs, I load them into a X509_Store with X509_STORE_add_cert
* I use the SSL_CTX_set1_cert_store method to load the thus constructed store into an SSL_CTX
* I also use SSL_add_client_CA to add all CA/Roots names to the Server list of available Cas (to be sent to the Client when initiating mutual auth)
* I have set the Verify flag to Verify_Peer via SSL_set_verify
* An instance's chain cert are added via SSL_add1_chain_cert
* An instance's key and leaf cert are added via SSL_use_certificate and SSL_use_PrivateKey respectively
Q1: Is here anything I forget with regards to the general set-up of the verification process?
Q2: Assume the Verification Certificates are loaded into SSL_CTX after an SSL struct was already created from it. Will the SSL struct "know" of the Certificate Store and access it properly? Or would I have to create a new SSL struct from SSL_CTX in order for this configuration to take effect?
Thanks everyone
Jochen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230130/bd67e29b/attachment-0001.htm>
------------------------------
Message: 2
Date: Sun, 29 Jan 2023 23:50:03 -0500
From: Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
To: openssl-users@xxxxxxxxxxx
Subject: Re: Setting Up CertStore for TLS Verification
Message-ID: <Y9dMe+5859tv6amI@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
On Mon, Jan 30, 2023 at 04:00:13AM +0000, Kreissl, Jochen wrote:
> I am facing some uncertainties regarding how to properly set up
> SSL_CTX & SSL structs, so that certificate based, (mutual)
> authentication works (TLS 1.3).
>
> * Certificates are loaded via an external lib and I get them as
> binary ASN.1. After parsing them into proper openssl X509
> structs, I load them into a X509_Store with X509_STORE_add_cert
> * I use the SSL_CTX_set1_cert_store method to load the thus
> constructed store into an SSL_CTX
Is this context created just once, or once per (SSL *) connection? Is
the server single-threaded or multi-threaded?
> * I also use SSL_add_client_CA to add all CA/Roots names to the
> Server list of available Cas (to be sent to the Client when
> initiating mutual auth)
Do the acceptable CA names vary from connection to connection? If not,
and the SSL_CTX is shared, why not preload the CA list into the shared
context?
> * I have set the Verify flag to Verify_Peer via SSL_set_verify
This can be done last, after all other setup is complete.
> * An instance's chain cert are added via SSL_add1_chain_cert
> * An instance's key and leaf cert are added via
> SSL_use_certificate and SSL_use_PrivateKey respectively
Do the key and certificate vary from (SSL *) connection to connection?
If not, why not preload the certificate and private key into the shared
SSL_CTX?
> Q1: Is here anything I forget with regards to the general set-up of
> the verification process?
Are client certificates unconditionally required? If so, and you want
to terminate handshakes with anonymous clients promptly, you'll also
want the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag in SSL_CTX_set_verify()
or SSL_set_verify(). With TLS 1.3, you can alternatively enable
post-handshake authentication by setting the SSL_VERIFY_POST_HANDSHAKE
flag.
> Q2: Assume the Verification Certificates are loaded into SSL_CTX after
> an SSL struct was already created from it. Will the SSL struct
> "know" of the Certificate Store and access it properly?
No, that's too late. SSL connection operations expect the SSL_CTX
to be immutable (apart from its reference count), clone much of
the content, and shallow-copy the rest. Why would you pre-create
the SSL connection handle???
> Or would I have to create a new SSL struct from SSL_CTX in order
> for this configuration to take effect?
A server typically handles more than connection at a time, and ends up
creating SSL connections on the fly, with the context already in place.
The use case for connection before context initialisation is unclear
(and in any case doesn't work).
--
Viktor.
------------------------------
Subject: Digest Footer
_______________________________________________
openssl-users mailing list
openssl-users@xxxxxxxxxxx
https://mta.openssl.org/mailman/listinfo/openssl-users
------------------------------
End of openssl-users Digest, Vol 98, Issue 23
*********************************************
openssl-users@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-request@xxxxxxxxxxx
You can reach the person managing the list at
openssl-users-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."
Today's Topics:
1. Setting Up CertStore for TLS Verification (Kreissl, Jochen)
2. Re: Setting Up CertStore for TLS Verification (Viktor Dukhovni)
----------------------------------------------------------------------
Message: 1
Date: Mon, 30 Jan 2023 04:00:13 +0000
From: "Kreissl, Jochen" <Jochen.Kreissl@xxxxxxxxxx>
To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Subject: Setting Up CertStore for TLS Verification
Message-ID:
<DB3PR0102MB3369CBFFFAC859A57C1E5F27FED39@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="windows-1252"
Hi,
I am facing some uncertainties regarding how to properly set up SSL_CTX & SSL structs, so that certificate based, (mutual) authentication works (TLS 1.3).
* Certificates are loaded via an external lib and I get them as binary ASN.1. After parsing them into proper openssl X509 structs, I load them into a X509_Store with X509_STORE_add_cert
* I use the SSL_CTX_set1_cert_store method to load the thus constructed store into an SSL_CTX
* I also use SSL_add_client_CA to add all CA/Roots names to the Server list of available Cas (to be sent to the Client when initiating mutual auth)
* I have set the Verify flag to Verify_Peer via SSL_set_verify
* An instance's chain cert are added via SSL_add1_chain_cert
* An instance's key and leaf cert are added via SSL_use_certificate and SSL_use_PrivateKey respectively
Q1: Is here anything I forget with regards to the general set-up of the verification process?
Q2: Assume the Verification Certificates are loaded into SSL_CTX after an SSL struct was already created from it. Will the SSL struct "know" of the Certificate Store and access it properly? Or would I have to create a new SSL struct from SSL_CTX in order for this configuration to take effect?
Thanks everyone
Jochen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230130/bd67e29b/attachment-0001.htm>
------------------------------
Message: 2
Date: Sun, 29 Jan 2023 23:50:03 -0500
From: Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
To: openssl-users@xxxxxxxxxxx
Subject: Re: Setting Up CertStore for TLS Verification
Message-ID: <Y9dMe+5859tv6amI@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
On Mon, Jan 30, 2023 at 04:00:13AM +0000, Kreissl, Jochen wrote:
> I am facing some uncertainties regarding how to properly set up
> SSL_CTX & SSL structs, so that certificate based, (mutual)
> authentication works (TLS 1.3).
>
> * Certificates are loaded via an external lib and I get them as
> binary ASN.1. After parsing them into proper openssl X509
> structs, I load them into a X509_Store with X509_STORE_add_cert
> * I use the SSL_CTX_set1_cert_store method to load the thus
> constructed store into an SSL_CTX
Is this context created just once, or once per (SSL *) connection? Is
the server single-threaded or multi-threaded?
> * I also use SSL_add_client_CA to add all CA/Roots names to the
> Server list of available Cas (to be sent to the Client when
> initiating mutual auth)
Do the acceptable CA names vary from connection to connection? If not,
and the SSL_CTX is shared, why not preload the CA list into the shared
context?
> * I have set the Verify flag to Verify_Peer via SSL_set_verify
This can be done last, after all other setup is complete.
> * An instance's chain cert are added via SSL_add1_chain_cert
> * An instance's key and leaf cert are added via
> SSL_use_certificate and SSL_use_PrivateKey respectively
Do the key and certificate vary from (SSL *) connection to connection?
If not, why not preload the certificate and private key into the shared
SSL_CTX?
> Q1: Is here anything I forget with regards to the general set-up of
> the verification process?
Are client certificates unconditionally required? If so, and you want
to terminate handshakes with anonymous clients promptly, you'll also
want the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag in SSL_CTX_set_verify()
or SSL_set_verify(). With TLS 1.3, you can alternatively enable
post-handshake authentication by setting the SSL_VERIFY_POST_HANDSHAKE
flag.
> Q2: Assume the Verification Certificates are loaded into SSL_CTX after
> an SSL struct was already created from it. Will the SSL struct
> "know" of the Certificate Store and access it properly?
No, that's too late. SSL connection operations expect the SSL_CTX
to be immutable (apart from its reference count), clone much of
the content, and shallow-copy the rest. Why would you pre-create
the SSL connection handle???
> Or would I have to create a new SSL struct from SSL_CTX in order
> for this configuration to take effect?
A server typically handles more than connection at a time, and ends up
creating SSL connections on the fly, with the context already in place.
The use case for connection before context initialisation is unclear
(and in any case doesn't work).
--
Viktor.
------------------------------
Subject: Digest Footer
_______________________________________________
openssl-users mailing list
openssl-users@xxxxxxxxxxx
https://mta.openssl.org/mailman/listinfo/openssl-users
------------------------------
End of openssl-users Digest, Vol 98, Issue 23
*********************************************
