Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add client authentication to tls.TLSSocket() #4

Open
wbond opened this issue Oct 27, 2015 · 6 comments
Open

Add client authentication to tls.TLSSocket() #4

wbond opened this issue Oct 27, 2015 · 6 comments
Labels
enhancement

Comments

@wbond
Copy link
Owner

wbond commented Oct 27, 2015

The most complicated part of this is testing. We need to find a reliable way to test various scenarios including:

  • Successful authentication
  • Invalid authentication
  • Weak certificate authentication?

Ideally we would use something like tls-o-matic.com, however they do not provide good and bad client certs to test with.

I have no interest in creating a VM for this since it will complicate testing.
@glyph
Copy link

glyph commented Oct 30, 2015

You may find https://badssl.com useful :)

@wbond
Copy link
Owner Author

wbond commented Oct 30, 2015

I use badssl.com and tls-o-matic.com in the tests already. Unfortunately badssl.com doesn't have client auth, I don't believe. And tls-o-matic doesn't seem configured quite right to allow generating various test cases from.

@karlw00t
Copy link

How should the client act when you have two valid client certificates in the OS trust store?

@wbond
Copy link
Owner Author

wbond commented Jan 19, 2017

Eventually I ran into issues with tls-o-matic.com downtime. Combined with the need to be able to provide tests for client certs, caused me to write https://github.com/wbond/badtls.io.

It is designed in such a way that it is fairly easy to add new configurations, although it is tightly-coupled to nginx (and socat) right now. For an enterprising soul, it shouldn't be too hard to add Apache configs.

This gets us the ability to test against a server that allows client auth and requires client auth. However, it only tests interactions with OpenSSL (through nginx for the optional auth, and socat for the required auth). While not a strict requirement for CI, it would be good to test with some other TLS servers, such as IIS, Apache, a Go server, and a Java server.

@jsfrerot
Copy link

simply adding comment to say that this is a feature I would like to see implemented.
I've encountered an issue while trying to validate certificate on servers that requires ssl

authentication:
oscrypto.errors.TLSError: TLS handshake failed - client authentication required

@wbond
Copy link
Owner Author

wbond commented Jun 18, 2020

Unfortunately I don't really have time to work on oscrypto these days - it does most of what I've needed, and my projects using it are in need or work before I would have time to invest in this library.

I am open to someone taking up the torch to do the research and implementation of what APIs in OpenSSL, Security Framework (Mac) and SChannel (Windows) need to be called to set up client auth. I can certainly give pointers and review code.

@notatallshaw notatallshaw mentioned this issue Mar 12, 2022
Closed
1 task
This was referenced Apr 12, 2022
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wbond @karlw00t @glyph @jsfrerot