Hello Jeffrey,
Are you aware that client and server certificates are two very different
things? The example you're trying expects client certificates, but in your
command descriptions you only talk about the server certificates, not about
what you do with the browser. This cannot work. Client certificates are
installed in the browser (or on a smartcard connected to the browser).
The client example can e.g. be used to authenticate a user based on his ID
card (in Belgium, all ID cards are smart cards that have a government
signed authentication certificate on them).
Is that what you plan to do?
>From the top of my head, the procedure is about this (assuming you want to
be your own CA):
- generate a root CA
- generate a authentication certificate for a user
- generate a signing request for the authentication certificate
- sign authentication certificate with root CA private key
- install root CA public key as trusted root CA in the browser or the
operating system
- copy the root CA public key also to the server; make wt aware of it using
option ssl-ca-certificates
- install private key of the authentication certificate in your browser
- generate a proper SSL certificate for your server. Self-signed
certificates will not work, but you have a root CA now that you can use.
The whole procedure is quite tricky. In my experience, the browser will not
successfully authenticate itself unless you get the trust chain of each
piece of this puzzle right.
BR,
Wim.
Best regards,
Wim.
2014-02-11 Jeffrey Scott Flesher Gmail <jeffrey.scott.fles...@gmail.com>:
> Q: How did you create your client certificate?
> A: I used this script to create the Cert:
>
> chmod 755 /etc/ssl/private/www_wittywizard_org_ssl.key
> chmod 755 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> openssl req -new -newkey rsa:2048 -nodes -out www_wittywizard_org_ssl.csr
> -keyout www_wittywizard_org_ssl.key -subj
> "/C=US/ST=Oregon/L=Terrebonne/O=Witty Wizard/CN=www.wittywizard.org"
> openssl x509 -req -days 365 -in www_wittywizard_org_ssl.csr -signkey
> www_wittywizard_org_ssl.key -out www_wittywizard_org_ssl.crt
> cp -f www_wittywizard_org_ssl.crt
> /etc/ssl/certs/www_wittywizard_org_ssl.crt
> cp -f www_wittywizard_org_ssl.key
> /etc/ssl/private/www_wittywizard_org_ssl.key
> cp -f www_wittywizard_org_ssl.key
> /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> cat www_wittywizard_org_ssl.key www_wittywizard_org_ssl.crt >
> /etc/ssl/certs/www_wittywizard_org_ssl.pem
> chmod 400 /etc/ssl/private/www_wittywizard_org_ssl.key
> chmod 400 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
>
> Note: www_wittywizard_org_nk_ssl.key was used when I signed it with a
> password, otherwise www_wittywizard_org_ssl.key are the same.
> I did this to use the certs I created at StartSSL.com, so I created a
> signed key, then decrypted it, then I cat'd them as in above, so I did not
> get the message to enter password
>
> Q: how did you add it to your browser?
> A: I am running it from Qt Creator so I add it to the run argument
> --docroot . --http-address 0.0.0.0 --http-port 8080
> --https-address=0.0.0.0 --https-port=4430
> --ssl-certificate=/etc/ssl/certs/www_wittywizard_org_ssl.crt
> --ssl-private-key=/etc/ssl/private/www_wittywizard_org_nk_ssl.key
> --ssl-tmp-dh=/etc/ssl/certs/www_wittywizard_org_ssl.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/ssl/certs/www_wittywizard_org_ssl.crt
>
> then I did an https://localhost:4430, but I get the below error, so the
> service is never started
>
> Q: Did you also add your CA root certificate to the browser?
> A: Yes and No
> I did with the ones I created at StartSSL.com, but I did not for the
> self-signed, since I can not get the browser to start up, I get an error:
> *(asio) use_tmp_dh_file: no start line*
>
> Notes:
> --ssl-ca-certificates and --ssl-certificate are the same, are they suppose
> to be?
>
> There should be detailed instructions on how to do this in the read me
> file, do not assume everyone knows how to do this right the first time.
>
>
> On Mon, 2014-02-10 at 11:51 +0100, Wim Dumon wrote:
>
> Hi Jeffrey,
>
>
> Client SSL certificates for authentication does not require apache.
>
>
>
> How did you create your client certificate, and how did you add it to your
> browser? Did you also add your CA root certificate to the browser?
>
>
> Best regards,
> Wim.
>
>
>
>
> 2014-02-01 Jeffrey Scott Flesher Gmail <jeffrey.scott.fles...@gmail.com>:
>
> Do you need to have Apache setup on the Machine if you are only use
> wt-httpd in the methods in your example SSLClientAuth?
>
> I have setup a Self Signed Cert, I am using QtCreator with the run command:
> --docroot . --http-address 0.0.0.0 --http-port 8080 --ssl-certificate
> /etc/httpd/conf/server.crt --ssl-private-key /etc/httpd/conf/server.key
> --ssl-tmp-dh=projects/ssl/dh512.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/httpd/conf/server.crt
>
> Note: I do not have ssl-tmp-dh, nor do I know if its required, but same
> results without it, in fact, same with just --docroot . --http-address
> 0.0.0.0 --http-port 8080,
> which makes me wonder if I am doing this right.
>
> I used this script to create the Cert:
> cd /etc/httpd/conf/
> sudo openssl genrsa -out server.key 4096
> sudo chmod 600 server.key
> sudo openssl req -new -key server.key -out server.csr
> sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt
> and it checked out ok, so the paths to the cert are there and verified.
>
> I hit the code message:
> Not an SSL session, or no client certificate available. Please read the
> readme file in examples/feature/client-ssl-auth for more info.
>
> Then I tried to get more info by doing this:
> Wt::WValidator::Result results = sslInfo->clientVerificationResult();
> new Wt::WText("Not an SSL session, or no client certificate available.
> Please read the readme file in examples/feature/client-ssl-auth for more
> info." + results.message(), root());
> This didn't work, or its not the right way to do it, any clue which one?
>
> After a long recovery from being hit in the head by a Micro Meteorite, I
> am back to working on the Witty Wizard CMS,
> I do not want to have Apache installed for security reasons,
> I want to require a public/private Cert, but do not want it to bomb if its
> not there,
> but if it is, give the user a button to log in using the servers users,
> so I can log in as root, and run root commands from the web page,
> like Virtualmin or cPanel,
> so I can maintain the server from the CMS,
> so I was wondering if you have a function to authenticate using local
> users on the server its ran from?
>
> If this requires Apache, is there a workaround to make something like this
> work without?
>
> What I need is the most secure way to log in as root and run root commands.
>
> Thanks
>
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends. Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> witty-interest@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the
> Whitepaper.http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>
> _______________________________________________
> witty-interest mailing
> listwitty-interest@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
> --
> ------------------------------
>
>
> *Jeffrey Scott **Flesh**er*
> Disabled Gulf War Vet, Retired U.S. Air Force
> Special Ops - Helicopter Crew Chief
> jeffrey.scott.fles...@gmail.com
> *Light Wizzard*
> http://LightWizzard.com/ *Dark Wizzard*
> http://TheDarkWizzard.com/<http://thedarkwizzard.com/http://thedarkwizzard.com/>
> *Vets
> Help Center*
> http://VetsHelpCenter.com/ *Binary Bit LAN*
> http://BinaryBit.com/ *Twitter*
> http://twitter.com/TheLightWizzard<http://twitter.com/TheLightWizzardhttp://twitter.com/TheLightWizzard>
> *Facebook*
> http://www.facebook.com/LightWizzard<http://www.facebook.com/LightWizzardhttp://www.facebook.com/LightWizzard>
>
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> witty-interest@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest