Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Verify Incoming SSL Using OpenSSL S_Server

Tags:

ssl

openssl

ssl-certificate

We are wanting to use two way certificate authentication using open ssl.

When we open s_server as follows, the client is able to connect to my server:

openssl s_server -accept 12345 -cert our-cert.pem

(our-cert.pem is our certificate.)

This works fine. However, my requirements are:

  1. Verify that the incoming certificate is valid with a trusted CA, and
  2. Verify the common name is what we expect it to be.

I have tried this:

openssl s_server -accept 12345 -cert our-cert.pem -CApath /etc/ssl/certs/

This allows the client to connect. But my questions are:

  1. How can I be sure that it is validating the incomming SSL is valid and issued by a CA?
  2. How can I validate the Common Name is what I expect?
like image 820
HenryHayes Avatar asked May 20 '13 09:05

HenryHayes

People also ask

What is Openssl S_server?

The s_server command implements a generic SSL/TLS server which listens for connections on a given port using SSL/TLS.

What is Openssl S_client?

DESCRIPTION. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.

1 Answers

For the server, you need to add the "-Verify " option to force the client to provide a certificate. The depth is the maximum length of the client certificate chain.

That should take care of question #1.

For #2, I'm not sure there is a way to restrict by Common Name using these OpenSSL commands.

You can see the OpenSSL documentation for the server/client commands here:

s_server

s_client

like image 137
gtrig Avatar answered Oct 19 '22 22:10

gtrig
Sign in to Comment

Related questions

I/O error during system call, Connection reset by peer
SSL authentication by comparing certificate fingerprint?
Implementing TLS 1.2 on Android 2.3.3
Nginx config for WSS
SSL certificate migration from one server to another
Using Gmails Outgoing SMTP from DELPHI(Indy) using TLS
HttpsURLConnection: SSL resumption not working
How to import self-signed SSL certificate to Volley on Android 4.1+
namecheap DNS config does not work with https on Heroku custom domain
Apply SSL into Google Compute Engine Instance
Django channels using secured WebSocket connection - WSS://
hosting multiple SSL certs on apache
iOS HTTPS requests 101
Certificate pinning not working with OkHttp on Android
Android/Java -- How to Create HTTPS Connection?
OpenSSL: explicitly set start/end date using `openssl req`?
how to debug an ssl connection?
iOS 8 has broken SSL connection in my app - CFNetwork SSLHandshake failed (-9806)
why is keycloak removing the SSL in the redirect uri?
openssl ssl_connect blocks forever - how to set timeout?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!