Hi all
I need to implement a client side certificate model for SSL, specifically, the client side (the server side is developped by another party of which I won't have access to until the end of the implementation). The Key exchange algo. used will be RSA and the encryption used will be 3-DES.
Can someone explain to me how this would be accomplished and which peer would need what? (am I correct to assume that the server will only need the public key and the client will only need the matching digital certificate?)
So far I've been able to establish a connection from the client to openSSL's test server by 2 methods, here's a rough summary of these 2 methods:
Server Authentication:
CLIENT> Sending Client Hello
SERVER> Sending Server Hello
SERVER> Sending Certificate
SERVER> Sending Server Hello Done
CLIENT> Sending Client Key Exchange
CLIENT> Sending Finished
SERVER> Sending Change cipher spec
SERVER> Sending Finished
Client/Server Authentication:
CLIENT> Sending Client Hello
SERVER> Sending Server Hello
SERVER> Sending Certificate
SERVER> Sending Certificate Request
CLIENT> Sending Client Certificate
CLIENT> Sending Client Key Exchange
CLIENT> Sending Finished
SERVER> Sending Change cipher spec
SERVER> Sending Finished
I'm guessing that client side certificate model would be something like follows:
CLIENT> Sending Client Hello
SERVER> Sending Server Hello
CLIENT> Sending Client Certificate
CLIENT> Sending Client Key Exchange
CLIENT> Sending Finished
SERVER> Sending Change cipher spec
SERVER> Sending Finished
Is this correct? Also, is there a way I could use openSSL's test server to simulate such a server? The first 2 scenarios were accomplished using the following command:
openssl s_server -key privkey.pem -cert cert.crt -accept 6000 -state
and
openssl s_server -key privkey.pem -cert cert.crt -accept 6000 -state -verify 1
I can't seem to find a way to establish a connection without using the private key/certificate on the server side but the provider of the server insists that all they require is the public key.
Thanks a bunch
Denis
NOTICE: Information contained in this e-mail (including any attachments) is confidential and may be subject to solicitor-client privilege. Disclosure to any person other than the intended recipient does not constitute waiver of privilege. If you received this message in error, or are not an intended recipient, you are hereby notified that any disclosure, distribution or copying of this e-mail (including any attachments) of any kind is prohibited. If you have received this e-mail in error, please notify us immediately by telephone (1-506-859-7598) or by return e-mail, and then delete this e-mail and any copies thereof from your computer system.
-----------------------------------------------------------------------------------------------------------------------
AVERTISSEMENT: Les renseignements contenus dans ce courriel et ses pièces jointes sont confidentiels et peuvent être le sujet d'un privilège juridique, d'un secret professionnel ou d'un autre privilège de non-divulgation. Cette communication privilégiée est destinée uniquement aux destinataires mentionnés. Accès à ce courriel par des personnes non autorisées est interdit. Si vous n'êtes pas le destinataire dénommé, vous ne devez divulguer, distribuer, reproduire, imprimer ni se fier aux renseignements dans ce courriel et vous devez le détruire immédiatement. Si vous avez besoin d'autres renseignements, s'il -vous-plait contactez l'expéditeur de ce message chez Spielo. Canada au numéro 1(506) 859-7598.
