Open shekharHPE opened 5 years ago
If anyone could share a code-snippet for Mutual Certificate authentication with Verify_Peer, even that would be helpful
conn, err := openssl.Dial("tcp", "localhost:8443", ctx, openssl.InsecureSkipHostVerification)
Client Code: --->
ctx, err := openssl.NewCtxFromFiles("./client_cert/public/client.crt", "./client_cert/private/client.key") if err != nil { log.Fatal(err) } err = ctx.LoadVerifyLocations("", "./public/server_cert") if err != nil { log.Fatal(err) } ctx.SetVerify(openssl.VerifyPeer, nil) fmt.Println("here1:") conn, err := openssl.Dial("tcp", "localhost:8443", ctx, 0) fmt.Println("here2:") if err != nil { fmt.Println(err.Error()) return }
Server Code: -----> ctx, err := openssl.NewCtxFromFiles("./server_cert/public/server.crt", "./server_cert/private/server.key") if err != nil { log.Fatal(err) } err = ctx.LoadVerifyLocations("", "./public/client_cert") if err != nil { log.Fatal(err) } ctx.SetVerify(openssl.VerifyPeer, nil) l, err := openssl.Listen("tcp", "localhost:8443", ctx) if err != nil { fmt.Println("Error listening:", err.Error()) os.Exit(1) } // Close the listener when the application closes. defer l.Close() for { // Listen for an incoming connection. conn, err := l.Accept() if err != nil { fmt.Println("Error accepting: ", err.Error()) os.Exit(1) } // Handle connections in a new goroutine. go handleRequest(conn) } }
Server Certificate: ----------> Certificate: Data: Version: 3 (0x2) Serial Number: c0:8a:38:0c:37:1b:1b:60 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Validity Not Before: Apr 8 18:37:59 2019 GMT Not After : Apr 5 18:37:59 2029 GMT Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:a1:10:a7:13:45:3d:67:52:8f:af:32:29:a9: 9f:d8:76:72:f4:01:ab:5b:f2:d9:60:ca:e1:a7:6b: b7:b3:6b:1c:e4:e4:e9:c6:ed:a6:f6:fb:65:b2:b7: 31:6c:fb:80:9b:d9:b3:40:c3:f6:82:00:b0:84:0d: ba:da:b0:f5:62:3a:e3:b3:18:2c:33:6f:3a:95:66: a6:0c:e3:b1:eb:01:97:36:29:16:be:16:0c:58:98: ea:44:f8:48:25:08:5d:a7:d5:c9:16:d4:b0:c0:4d: c9:44:13:98:aa:20:09:09:9f:0d:11:3e:c5:b1:27: b2:2e:c7:f7:38:aa:f3:b5:4c:dd:c1:fa:a8:92:6b: 0f:25:0d:2a:aa:1e:b9:4d:57:3f:28:4d:ae:bb:0e: b0:84:4c:89:04:8c:02:4d:2b:16:23:e5:81:73:08: a9:4b:1e:81:08:a8:6e:8d:b1:28:cc:35:0d:0c:be: 31:fa:54:13:02:7b:74:28:6a:c1:c3:9d:99:94:c6: 6f:32:57:6f:13:12:f7:32:01:59:23:63:44:11:a8: 1c:68:a2:43:78:b3:07:b4:ed:3d:c9:55:4c:ba:12: ac:08:15:98:75:34:8a:93:84:01:97:33:7a:fd:ce: ce:5b:9e:29:17:0e:34:15:bd:aa:42:7c:a7:c1:c6: c8:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C8:85:6D:F5:1C:42:59:0F:78:26:42:30:F5:6E:14:55:01:21:17:0F X509v3 Authority Key Identifier: keyid:C8:85:6D:F5:1C:42:59:0F:78:26:42:30:F5:6E:14:55:01:21:17:0F
-----BEGIN CERTIFICATE----- MIIDrTCCApWgAwIBAgIJAMCKOAw3GxtgMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MQowCAYD VQQDDAEqMB4XDTE5MDQwODE4Mzc1OVoXDTI5MDQwNTE4Mzc1OVowbTELMAkGA1UE BhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRgwFgYDVQQK DA9HbG9iYWwgU2VjdXJpdHkxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxCjAIBgNV BAMMASowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpoRCnE0U9Z1KP rzIpqZ/YdnL0Aatb8tlgyuGna7ezaxzk5OnG7ab2+2WytzFs+4Cb2bNAw/aCALCE DbrasPViOuOzGCwzbzqVZqYM47HrAZc2KRa+FgxYmOpE+EglCF2n1ckW1LDATclE E5iqIAkJnw0RPsWxJ7Iux/c4qvO1TN3B+qiSaw8lDSqqHrlNVz8oTa67DrCETIkE jAJNKxYj5YFzCKlLHoEIqG6NsSjMNQ0MvjH6VBMCe3QoasHDnZmUxm8yV28TEvcy AVkjY0QRqBxookN4swe07T3JVUy6EqwIFZh1NIqThAGXM3r9zs5bnikXDjQVvapC fKfBxsiPAgMBAAGjUDBOMB0GA1UdDgQWBBTIhW31HEJZD3gmQjD1bhRVASEXDzAf BgNVHSMEGDAWgBTIhW31HEJZD3gmQjD1bhRVASEXDzAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBCwUAA4IBAQBe3rsvy47oSSithvOHRU+or42URaMrfdvpz/99lu9t Kowbacqpc4oIzLwKLwEQaZCtVHpopcHfMbrvY4+eN0oh9EZEwbwVQnywQkvZ4yCN TW50T1/cdmAyQlKmssO3uwjUkmsEzUbY6Rjx9AidRCzMI5pDBn5mcCWBvOrUirZS 6jBr76000HGRH7Ko8iXdSLe2w+r5KMRy6cG+mMKzQOoEToQsz/wAVA4r4Jzqh1yD HuxCpW+MDx19CcXzPs7qEg36JZmY4rDFO4h+GLd+AWPo/B/0HRTkziIfT9/lJalX ECGJ188OVh6aVU7EDwqX/WNK1L8D3o6Il6sgXfqyeoVn -----END CERTIFICATE-----
Client Certificate:------> Certificate: Data: Version: 3 (0x2) Serial Number: d7:1f:6e:64:86:af:1a:15 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Validity Not Before: Apr 8 18:38:33 2019 GMT Not After : Apr 5 18:38:33 2029 GMT Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:98:b8:a9:c1:dd:4e:50:2b:36:75:75:bf:4b:d9: 8e:54:90:1b:4e:fa:28:75:4a:40:e5:c7:48:d9:78: f8:69:7d:90:c9:a7:46:bf:74:bb:30:63:1f:cb:c1: eb:99:22:93:6a:b1:c3:27:42:e8:1a:06:ae:95:77: bb:b2:5b:5d:33:81:39:b6:25:d6:58:be:c1:93:dc: 68:73:70:e6:2f:af:6a:c2:f9:1f:4f:1b:9d:22:82: 85:1a:c2:a8:28:3c:49:e5:ae:ee:cf:4b:a7:2d:81: 4a:b7:56:af:10:39:36:2d:7f:58:4d:c0:86:b6:d6: 84:7a:d2:db:6c:2e:03:1d:e2:60:90:7c:db:0c:20: 6d:30:60:c9:3b:f0:7d:3b:84:f8:5f:30:40:60:55: 15:74:1c:ca:cd:ff:da:c3:28:95:7b:06:c0:de:e6: 33:b7:4a:24:d6:31:7b:8d:4b:ee:10:39:2b:64:75: 33:8a:96:8f:b5:e5:b8:75:a8:2e:49:94:e5:d1:33: 7e:1c:78:98:02:13:7b:14:39:47:35:74:b3:fc:8d: 0d:1c:87:ce:5e:7a:35:1e:93:fe:ef:e0:84:34:7b: f9:ac:52:db:9a:d0:1f:03:fe:4d:d6:f5:c3:a6:3c: 66:26:c9:b7:8d:49:56:57:a1:86:7f:1d:bd:12:0f: 4f:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 5A:90:D3:E2:C1:1A:A8:8D:42:23:11:8F:59:86:A2:56:58:4E:0A:52 X509v3 Authority Key Identifier: keyid:5A:90:D3:E2:C1:1A:A8:8D:42:23:11:8F:59:86:A2:56:58:4E:0A:52
-----BEGIN CERTIFICATE----- MIIDrTCCApWgAwIBAgIJANcfbmSGrxoVMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MQowCAYD VQQDDAEqMB4XDTE5MDQwODE4MzgzM1oXDTI5MDQwNTE4MzgzM1owbTELMAkGA1UE BhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRgwFgYDVQQK DA9HbG9iYWwgU2VjdXJpdHkxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxCjAIBgNV BAMMASowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYuKnB3U5QKzZ1 db9L2Y5UkBtO+ih1SkDlx0jZePhpfZDJp0a/dLswYx/LweuZIpNqscMnQugaBq6V d7uyW10zgTm2JdZYvsGT3GhzcOYvr2rC+R9PG50igoUawqgoPEnlru7PS6ctgUq3 Vq8QOTYtf1hNwIa21oR60ttsLgMd4mCQfNsMIG0wYMk78H07hPhfMEBgVRV0HMrN /9rDKJV7BsDe5jO3SiTWMXuNS+4QOStkdTOKlo+15bh1qC5JlOXRM34ceJgCE3sU OUc1dLP8jQ0ch85eejUek/7v4IQ0e/msUtua0B8D/k3W9cOmPGYmybeNSVZXoYZ/ Hb0SD0+jAgMBAAGjUDBOMB0GA1UdDgQWBBRakNPiwRqojUIjEY9ZhqJWWE4KUjAf BgNVHSMEGDAWgBRakNPiwRqojUIjEY9ZhqJWWE4KUjAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBCwUAA4IBAQBwUc01QjQSyIJ5rpeMzd1AWg4ktUkOnupZSXD8UtXr 1bf299uwFHFi91Ij3EUs+9PaVGNjoN0UYSgzxvljRECIVTOFBRb+bj/UYrTxxR3l Tmd/2NlUQkJutN0mlg0JKms61Dheip0zBKYxpY0IoNhy+WljVME3dRhNF1v4QnHr LGu8tg6FIzNSw8LwdAV6mwrvYC1Drle7kXC3ej7VxoIjObUKk+87PX4E9nAtXcbW gaujM9yMjwk0KrxUpHefbtnYbXlQ647yefibh2HtQtuRmVfxjdbi+RkjxKGoXSk6 lax6jln5NA1FkxiTsSCEJ8kZsyhL++PFaWTADpTSXk2E -----END CERTIFICATE-----
What am I trying to achieve: -----> A mutual certificate authentication between server and client, for which I need to use the VERIFY_PEER. But I am not sure if my code is correct or if I am missing something
Issue: ---->
I encounter "SSL errors: SSL routines:tls_process_server_certificate:certificate verify failed" error when I try to connect to the server. Am I missing any steps or doing something wrong ?
Any help is appreciated!!