Cryptography Reference
In-Depth Information
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This produces the
client_cert.pem
fi le that you pass back to the server
from the client. You may also have noticed that it modifi es the index.txt
and serial fi les that you created earlier.
6. Start up the
openssl s_server
with client certifi cate support active:
openssl s_server -tls1 -accept 8443 -cert cert.pem -key key.pem -Verify 1 \
-CApath trusted_certs/ -CAfile trusted_certs/root_cert.pem -www
This tells the server to demand a certifi cate that has been signed by
root_
cert.pem
. Notice that the server does not need access to the root certifi cate's
private key to do this; the public key is suffi cient to verify a signature, just not
to generate one. Also notice that the certifi cate presented by the server for its
own authentication need not be — shouldn't be, in fact — the same as the root
certifi cate that signs client certifi cates.
Viewing a Mutually-Authenticated TLS Handshake
The following is an examination of a network capture of a mutually authenti-
cated handshake.
debian:/home/jdavies/devl/test/c/ssl# tcpdump -s 0 -X -i lo tcp port 8443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
… (omitted TCP handshake) …
21:43:42.754999 IP localhost.40795 > localhost.8443: Flags [P.], ack 1, win 257,
options [nop,nop,TS val 103385 ecr 103385], length 50
0x0000: 4500 0066 5ad5 4000 4006 e1ba 7f00 0001 E..fZ.@.@.......
0x0010: 7f00 0001 9f5b 20fb c914 c90b c8dd 0009 .....[..........
0x0020: 8018 0101 fe5a 0000 0101 080a 0001 93d9 .....Z..........
0x0030: 0001 93d9
1603 0100 2d01 0000 2903 014c
........-...)..L
0x0040:
758e 8e00 0000 0000 0000 0000 0000 0000
u...............
0x0050:
0000 0000 0000 0000 0000 0000 0000 0000
................
0x0060: 0002
002f 0100
.../..
21:43:42.755151 IP localhost.8443 > localhost.40795: Flags [P.], ack 51, win
256, options [nop,nop,TS val 103385 ecr 103385], length 1124
0x0000: 4500 0498 93d1 4000 4006 a48c 7f00 0001 E.....@.@.......
0x0010: 7f00 0001 20fb 9f5b c8dd 0009 c914 c93d .......[.......=
0x0020: 8018 0100 028d 0000 0101 080a 0001 93d9 ................
0x0030: 0001 93d9
1603 0100 4a02 0000 4603 014c
........J...F..L
0x0040:
758e 8eae 5199 0c93 dbff 9c76 d32f 9066
u...Q......v./.f
0x0050:
f168 1527 02ba 4f7e f5d0 fd0f d343 5f20
.h.'..O~.....C_.
0x0060:
7ed6 9019 4e6a 3807 55b2 7e5b 4f72 c0b1
~...Nj8.U.~[Or..
0x0070:
d6bc df1d e49b c57b 9ea1 fd0f 1cb5 85e1
.......{........
0x0080:
002f 0016 0301 0357 0b00 0353 0003 5000
./.....W...S..P.
0x0090:
034d 3082 0349 3082 02f3 a003 0201 0202
.M0..I0.........
0x00a0:
0900 b5b5 d921 2707 fe0e 300d 0609 2a86
.....!'...0...*.
Search WWH ::
Custom Search