Forum > Networking and Web Programming

[CLOSED] Client side certificate chain

(1/2) > >>

y.ivanov:
I must communicate with a https server using certificate chain given as DER (in-memory) sequence. Since I don't have considerable programming experience with SSL/TLS/HTTPS, at the present moment I'm just scratching my head and wonder from where to start.

Can anyone be so kind to give me some advice how to proceed? Any help will be greatly appreciated.

(Linux target)

SymbolicFrank:
Go here. RTFM :)

Ok, a short explanation.

The obvious way to make a secure connection: use a secret key only you two have. But how do you get that key to the receiver? And you don't want to reuse that key if you can prevent it, there are many ways encryption can be broken if people keep using the same key.

If you go to the receiver each time and hand them the new key, it's easier just to hand them the unencrypted message.

So, we came up with private/public key pairs. Everyone has two keys, you can use one to encrypt the message and the other to decrypt it. It doesn't even matter which one you use for the encryption, as long as you use the other one for the decryption.

Make one of them public and tightly guard the other one. That way, you have secure communications in plain sight. You can broadcast the public key and the messages, and none will be the wiser. As long as you keep the private key... private.

Now is that a quite slow protocol, so most of the time it is only used to communicate that secret, one-time-only key that is actually used to encrypt the message.

y.ivanov:
@SymbolicFrank
Thanks for the reply!

Actually reading the OpenSSL pages almost the whole afternoon. I'm not so rookie on the subject, but so far used SSL in simple scenarios by just elevating it with sock.SSLDoConnect; Also, I'm roughly familiar with asymmetric keys encryption, PKI, certificates and stuff.

My current trouble is that I must integrate some subsystem by providing it a https connectivity with the outside world and using the certificate chain which that subsystem gives me as DER.

Until now I haven't used certificates at the client side, even more something different from PEM files. I don't have an idea how to convert DERs to single PEM and then supply to laz_synapse client socket maybe?  Or there is another option?

PierceNg:

--- Quote from: y.ivanov on October 26, 2021, 11:35:30 pm ---Until now I haven't used certificates at the client side, even more something different from PEM files. I don't have an idea how to convert DERs to single PEM and then supply to laz_synapse client socket maybe?  Or there is another option?

--- End quote ---

PEM is just ascii-encoded DER. There are routines in OpenSSL to convert between PEM and DER. What version of OpenSSL are you using?

y.ivanov:

--- Quote from: PierceNg on October 27, 2021, 03:21:33 am ---
--- Quote from: y.ivanov on October 26, 2021, 11:35:30 pm ---Until now I haven't used certificates at the client side, even more something different from PEM files. I don't have an idea how to convert DERs to single PEM and then supply to laz_synapse client socket maybe?  Or there is another option?

--- End quote ---

PEM is just ascii-encoded DER.

--- End quote ---
That's something ... perhaps it is Base64 ... thanks!
 

--- Quote from: PierceNg on October 27, 2021, 03:21:33 am ---There are routines in OpenSSL to convert between PEM and DER. What version of OpenSSL are you using?

--- End quote ---
OpenSSL 1.1.1 (1.1.1-1ubuntu2.1~18.04.7 by Synaptic).

I'm playing with laz_synapse and the openssl plugin, but I'm not quite sure that is the right path to follow. I can't figure the steps to initiate client certificate chain authorization.

Navigation

[0] Message Index

[#] Next page

Go to full version