in reply to Re: Make IO::Socket:SSL refuse connections without client certificate
in thread [SOLVED] Make IO::Socket:SSL refuse connections without client certificate

I tried:

SSL_verify_mode => SSL_VERIFY_PEER,

[download]
SSL_verify_mode => SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

[download]
SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

[download]

All three of these variants allow authentication via certificate and yet even if a client certificate is not presented, the server still sends the string.

I should be able to tell the server *not* to return anything if a client certificate is not presented.

Thanks,
IvanK.

Replies are listed 'Best First'.
Re^3: Make IO::Socket:SSL refuse connections without client certificate
by NetWallah (Canon) on Oct 12, 2016 at 23:39 UTC
    Try adding 
      SSL_verify_callback => <Sub-ref>

    [download]
    To see what cert info and string you get when the client cert is absent.

      SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+,

    [download]
    on the server should have worked - i.e. it should drop the SSL handshake when the client cert is absent.

    Another option is to do a "tcpdump" to verify if the connection actually occurs when the client cert is absent.

            ...it is unhealthy to remain near things that are in the process of blowing up.     man page for WARP, by Larry Wall

[reply]
[d/l]
[select]
Re^3: Make IO::Socket:SSL refuse connections without client certificate
by noxxi (Pilgrim) on Oct 13, 2016 at 06:22 UTC 
    > SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

    I cannot reproduce the problem in this case. The server reliably fails with the handshake in this case and no output can be seen at the wget client.

    As for the cases w/o SSL_VERIFY_PEER: in this case no client certificate will be requested and thus no certificate checked, i.e. SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_VERIFY_PEER will be ignored. See also SSL_CTX_set_verify where it explicitly states that SSL_VERIFY_FAIL_IF_NO_PEER_CERT must be used with SSL_VERIFY_PEER. And note that the documentation of IO::Socket::SSL explicitly refers to the documentation of SSL_CTX_set_verify for how to use these flags.

    > All three of these variants allow authentication via certificate ...

    This cannot be reproduced either. If SSL_VERIFY_PEER is not then set the server will not send a CertificateRequest inside the TLS handshake which means that the client will not send a certificate even if it has one.

[reply]

In Section Seekers of Perl Wisdom