Thursday 1 July 2021

Testing 2 way ssl with openssl s_client

The intent of this post is to learn how to use openssl s_client program to test 2 way ssl between client & server.

Here I am assumig you have configured your server for 2 way SSL & you have generated or gathered the required certifcates.

List of files required;

a) client certificate
b) client private key -> if passphrase is used you must know that
c) root ca public certificate -> i.e the ca authorty who has signed the server certificate that you will get while handshaking.


Openssl s_client - 2 way ssl test

bash> openssl s_client -connect abc.com -CAfile ca.cert.pem  -key client_key.pem -cert client_cert.pem -tls1_2 -state -quiet
Enter pass phrase for client_key.pem:

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = abc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = ca.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify

Note: ca.cert.pem is the root ca public certificate while other 2 are the client cert & client private key which is having passphrase.


Hope this helps :-)
Enjoy :-)

Posted by at No comments:
Labels: , , , , , , , ,

Creating user certificates with encrypted private key using openssl

The intent of this post is to list the steps to generate a self signed user certificate that has an encrypted private key with a passphrase.


Generate private key with passphrase

bash> openssl genrsa -des3 -passout pass:1234 -out client_key.pem 2048
(it has to be atleast 4 characters long)

To verify that this is encrypted private key, easy step is to open this private key in an editor & it will have content like;

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,974D80EBEF938726

hWANCxIG3lT1qaoTqza84pk10JeGD2vUXoVRj92WI2k+eYJvVhnW/tz5cZzNeozu
............................................
............................................
............................................
-----END RSA PRIVATE KEY-----

Generate csr using above generated private key

bash> openssl req -out client.csr -new -nodes -key client_key.pem -sha256
(to proceed, it will ask you for the private key passphrase)


Self Sign the user certifcate with Root CA

bash> openssl x509 -req -days 360 -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client_cert.pem -sha256
(you will be asked for ca cert key password)



Hope this helps :-)
Enjoy :-)

Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)