Recent

Author Topic: [CLOSED] Client side certificate chain  (Read 2992 times)

alpine

  • Hero Member
  • *****
  • Posts: 1038
[CLOSED] Client side certificate chain
« on: October 26, 2021, 08:51:05 pm »
I must communicate with a https server using certificate chain given as DER (in-memory) sequence. Since I don't have considerable programming experience with SSL/TLS/HTTPS, at the present moment I'm just scratching my head and wonder from where to start.

Can anyone be so kind to give me some advice how to proceed? Any help will be greatly appreciated.

(Linux target)
« Last Edit: October 27, 2021, 04:37:52 pm by y.ivanov »
"I'm sorry Dave, I'm afraid I can't do that."
—HAL 9000

SymbolicFrank

  • Hero Member
  • *****
  • Posts: 1313
Re: Client side certificate chain
« Reply #1 on: October 26, 2021, 11:01:20 pm »
Go here. RTFM :)

Ok, a short explanation.

The obvious way to make a secure connection: use a secret key only you two have. But how do you get that key to the receiver? And you don't want to reuse that key if you can prevent it, there are many ways encryption can be broken if people keep using the same key.

If you go to the receiver each time and hand them the new key, it's easier just to hand them the unencrypted message.

So, we came up with private/public key pairs. Everyone has two keys, you can use one to encrypt the message and the other to decrypt it. It doesn't even matter which one you use for the encryption, as long as you use the other one for the decryption.

Make one of them public and tightly guard the other one. That way, you have secure communications in plain sight. You can broadcast the public key and the messages, and none will be the wiser. As long as you keep the private key... private.

Now is that a quite slow protocol, so most of the time it is only used to communicate that secret, one-time-only key that is actually used to encrypt the message.

alpine

  • Hero Member
  • *****
  • Posts: 1038
Re: Client side certificate chain
« Reply #2 on: October 26, 2021, 11:35:30 pm »
@SymbolicFrank
Thanks for the reply!

Actually reading the OpenSSL pages almost the whole afternoon. I'm not so rookie on the subject, but so far used SSL in simple scenarios by just elevating it with sock.SSLDoConnect; Also, I'm roughly familiar with asymmetric keys encryption, PKI, certificates and stuff.

My current trouble is that I must integrate some subsystem by providing it a https connectivity with the outside world and using the certificate chain which that subsystem gives me as DER.

Until now I haven't used certificates at the client side, even more something different from PEM files. I don't have an idea how to convert DERs to single PEM and then supply to laz_synapse client socket maybe?  Or there is another option?

"I'm sorry Dave, I'm afraid I can't do that."
—HAL 9000

PierceNg

  • Sr. Member
  • ****
  • Posts: 369
    • SamadhiWeb
Re: Client side certificate chain
« Reply #3 on: October 27, 2021, 03:21:33 am »
Until now I haven't used certificates at the client side, even more something different from PEM files. I don't have an idea how to convert DERs to single PEM and then supply to laz_synapse client socket maybe?  Or there is another option?

PEM is just ascii-encoded DER. There are routines in OpenSSL to convert between PEM and DER. What version of OpenSSL are you using?

alpine

  • Hero Member
  • *****
  • Posts: 1038
Re: Client side certificate chain
« Reply #4 on: October 27, 2021, 12:58:51 pm »
Until now I haven't used certificates at the client side, even more something different from PEM files. I don't have an idea how to convert DERs to single PEM and then supply to laz_synapse client socket maybe?  Or there is another option?

PEM is just ascii-encoded DER.
That's something ... perhaps it is Base64 ... thanks!
 
There are routines in OpenSSL to convert between PEM and DER. What version of OpenSSL are you using?
OpenSSL 1.1.1 (1.1.1-1ubuntu2.1~18.04.7 by Synaptic).

I'm playing with laz_synapse and the openssl plugin, but I'm not quite sure that is the right path to follow. I can't figure the steps to initiate client certificate chain authorization.
"I'm sorry Dave, I'm afraid I can't do that."
—HAL 9000

alpine

  • Hero Member
  • *****
  • Posts: 1038
Re: Client side certificate chain
« Reply #5 on: October 27, 2021, 04:37:24 pm »
Thanks PierceNg and SymbolicFrank for trying to help me!

It was my misunderstanding, in the given case the DER certificates are for server verification and not for client authorization. I've just received some clarifications from the OEM.

It doesn't concern me anymore, though the question is still unanswered...  ;)
"I'm sorry Dave, I'm afraid I can't do that."
—HAL 9000

 

TinyPortal © 2005-2018