Wednesday, January 25, 2017

Using openssl s_server and openssl s_client to test client certificates

In openssl's man pages understanding how to invoke openssl s_server to experiment with client certificates can be challenging as there is not enough examples on that man page compared to others. A good understanding of how to setup a CAfile that validates with openssl s_client is helpful here, with the general logic being PEM-format certificates joined in a single file. On Unix this is easy with cat rootCA.crt intermediateCA.crt > caFile.crt, and we will be using this caFile.crt throughout this example. It is expected that this file has enough information to validate both the client and the server.

This is easiest to do with two separate terminals with one terminal running the following command:
openssl s_server -accept 10000 -cert server.crt -key server.key -verify 10 -CAfile caFile.crt

And the other terminal running this command:
openssl s_client -connect localhost:10000 -cert client.crt -key client.key -CAfile caFile.crt

For both commands we are using certificates, and so we need the certificate piece with -cert and the key piece with -key. We had already described that we needed a file containing the CA information to verify certificates (caFile.crt) and this is a required piece for verification on the server side, and on the client side since s_client proceeds whether or not the certificate validates.

-accept indicates what port to listen on, which is reflected in the -connect parameter to s_client but is otherwise uninteresting.

The last and most critical piece is -verify which comes in two versions of -verify and -Verify. Without this parameter s_server does not request a certificate. With -verify it requests a certificate but proceeds if one is not sent (something that I describe as 'want'), and with -Verify it requests a certificate and does not proceed if one is not sent (something that I describe as 'need'). The parameter's value is just the depth of the certificate chain, and this is knowledge you would know from working with the CA where you are generating the certificates. If you aren't worrying about verification chain depth for this testing just pick a big number.

After you have a mutual connection or otherwise, you can type into s_client or s_server and then hit return to send a command as if you had connected with netcat or telnet to a non-TLS port. This is something you can use for other situations, such as sending GET / then hitting return twice to send a HTTP GET request to a remote server.

No comments:

Post a Comment