[SOLVED] Make IO::Socket:SSL refuse connections without client certificate

chepati has asked for the wisdom of the Perl Monks concerning the following question:

Update: the winning combination was

SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
[download]

Thanks to all who replied and offered the correct answer.

Hi,

I'm a beginner perl programmer. I need a very simple "daemon" that when queried over tcp would return a very simple string. It needs to use SSL to verify the client and refuse to send the string, or anything else for that matter, of the client does not properly authenticate itself.

I've cobbled together a very simple script:

#!/usr/bin/perl

use strict;
use IO::Socket::SSL qw(debug0);
use Sys::Hostname;
use Socket;

my $ip_address = inet_ntoa((gethostbyname(hostname))[4]);
my ( $output, $client );

$output = "ok";

my $server = IO::Socket::SSL->new(
 LocalAddr       => $ip_address,
 LocalPort       => q[6666],
 Listen          => q[10],
 SSL_verify_mode => SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 SSL_cert_file   => q[/etc/httpd/certs/crt.pem],
 SSL_key_file    => q[/etc/httpd/certs/key.pem],
 SSL_ca_file     => q[/etc/httpd/certs/ca-chain.crt.pem],
) or die;

while(1) {
 # accept client
 my $status = $client = $server->accept;

 if ($status) {
  print $client $output;
  shutdown($client,1);
 }
}
[download]

And this is a simple client script:

#!/usr/bin/perl

use strict;
use IO::Socket::SSL qw(debug0);

my $client = IO::Socket::SSL->new(
    # where to connect
    PeerHost        => q[192.168.0.1],
    PeerPort        => q[6666],
    SSL_verify_mode => SSL_VERIFY_PEER,
    SSL_cert_file   => q[./client.crt.pem],
) or die "failed connect or ssl handshake: $!,$SSL_ERROR";

# receive string over SSL connection
my $string = <$client>;
print "Output = $string\n";
[download]

This works as expected. Opening the server in chrome and authentication with the client certificate also works.

However, the folowing also works even though it shouldn't:

wget -q --no-check-cert https://192.168.0.1:6666 -O -
[download]

It shouldn't work because I'm not supplying the client certificate.

How can I force IO::Socket::SSL refuse to send the string without a client certificate?

Thanks, IvanK.

Comment on [SOLVED] Make IO::Socket:SSL refuse connections without client certificate Select or Download Code

Replies are listed 'Best First'.
Re: Make IO::Socket:SSL refuse connections without client certificate by NetWallah (Canon) on Oct 12, 2016 at 20:45 UTC
Havn't dug too deep, but I think you need (on the Server): `SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT` [download] otherwise, it will not VERIFY the cert. ...it is unhealthy to remain near things that are in the process of blowing up. man page for WARP, by Larry Wall	[reply] [d/l]
Re^2: Make IO::Socket:SSL refuse connections without client certificate by chepati (Initiate) on Oct 12, 2016 at 21:37 UTC
I tried: `SSL_verify_mode => SSL_VERIFY_PEER,` [download] `SSL_verify_mode => SSL_VERIFY_FAIL_IF_NO_PEER_CERT,` [download] `SSL_verify_mode => SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,` [download] All three of these variants allow authentication via certificate and yet even if a client certificate is not presented, the server still sends the string. I should be able to tell the server not to return anything if a client certificate is not presented. Thanks, IvanK.	[reply] [d/l] [select]
Re^3: Make IO::Socket:SSL refuse connections without client certificate by NetWallah (Canon) on Oct 12, 2016 at 23:39 UTC
Try adding `SSL_verify_callback => <Sub-ref>` [download] To see what cert info and string you get when the client cert is absent. `SSL_verify_mode => SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT +,` [download] on the server should have worked - i.e. it should drop the SSL handshake when the client cert is absent. Another option is to do a "tcpdump" to verify if the connection actually occurs when the client cert is absent. ...it is unhealthy to remain near things that are in the process of blowing up. man page for WARP, by Larry Wall	[reply] [d/l] [select]
Re^3: Make IO::Socket:SSL refuse connections without client certificate by noxxi (Pilgrim) on Oct 13, 2016 at 06:22 UTC
> SSL_verify_mode => SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT, I cannot reproduce the problem in this case. The server reliably fails with the handshake in this case and no output can be seen at the wget client. As for the cases w/o SSL_VERIFY_PEER: in this case no client certificate will be requested and thus no certificate checked, i.e. SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_VERIFY_PEER will be ignored. See also SSL_CTX_set_verify where it explicitly states that SSL_VERIFY_FAIL_IF_NO_PEER_CERT must be used with SSL_VERIFY_PEER. And note that the documentation of IO::Socket::SSL explicitly refers to the documentation of SSL_CTX_set_verify for how to use these flags. > All three of these variants allow authentication via certificate ... This cannot be reproduced either. If SSL_VERIFY_PEER is not then set the server will not send a CertificateRequest inside the TLS handshake which means that the client will not send a certificate even if it has one.	[reply]