-
Notifications
You must be signed in to change notification settings - Fork 544
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
./botan tls_server
is lacking a --trusted-cas=
argument
#4026
Comments
You're using it correctly. The problem lies in the botan CLI tool that, unfortunately, does not fully support client certificates at the moment. You can enable it via the As a result, the server will request client-auth during the handshake (because of the policy setting), but won't indicate any acceptable CA. Additionally, the Note, however, that the limitation is within Botan's CLI tool. The library does support client authentication even if a server does not indicate their acceptable CAs. Typically, users would override the |
--client-cert
option in command line./botan tls_server
is lacking a --trusted-cas=
argument
Many thanks for your explanation, hope this feature can be added in the future. |
Hi, if I want to build a project that validates client certificates based on this project: https://github.com/reneme/botan-tls-testserver which part of this project do I need to modify to achieve this? Thanks. |
Note to self: we should add an example showcasing a server with client authentication. Anyway, until then: 1. Extend
|
Hi, I followed the steps above to operate and recompile, but during testing, it still prompts |
Here's a complete example that worked for me. 1. Create Test CertificatesHere's a script that generates a some test certificates (using Botan's CLI tool): ./botan keygen --algo=ECDSA --params=secp256r1 --output=ca_priv.pem
./botan keygen --algo=ECDSA --params=secp256r1 --output=server_priv.pem
./botan keygen --algo=ECDSA --params=secp256r1 --output=client_priv.pem
./botan gen_self_signed ca_priv.pem "CA" --ca --country=DE --dns=ca.example --hash=SHA-384 --output=ca_cert.pem
./botan gen_pkcs10 server_priv.pem localhost --output=server_csr.pem
./botan gen_pkcs10 client_priv.pem client --output=client_csr.pem
./botan sign_cert ca_cert.pem ca_priv.pem server_csr.pem --output=server_cert.pem
./botan sign_cert ca_cert.pem ca_priv.pem client_csr.pem --output=client_cert.pem 2. Compile the Adapted Test ServerHere's a branch that allows for client authentication: https://github.com/reneme/botan-tls-testserver/tree/spike/client_auth Compile it. 3. Run the Test ServerI'm assuming that the server is run from the repository's root directory and that the test certificates generated in step 1 are located in this folder as well. Please adapt the file paths as needed: ./testserver --cert server_cert.pem --key server_priv.pem --port 50443 --policy policies/clientauth.txt --client-auth-ca ca_cert.pem 4. Connect a ClientThis uses Botan's CLI-tool to connect to the test server. In its outputs it should mention "Performing client authentication" before "Handshake complete". Again, I'm assuming that the test certificates of step 1 are available in the same directory. ./botan tls_client --port=50443 localhost --client-cert=client_cert.pem --client-cert-key=client_priv.pem --trusted-cas=ca_cert.pem |
Yeah it works now, thanks for your help! |
I'm trying to start a TLS server that requires the client to send certificates. I'm launching it using the following command:
where the content of policy.conf is:
Then I try to use the following command to let the client connect to the server:
At this point, both the client and the server are indicating that the client did not send a certificate:
I'd like to inquire whether my usage is not correct or if there's an issue with the corresponding implementation. Many thanks.
The text was updated successfully, but these errors were encountered: