[Feature Request] Verify client ssl in server
youyuanwu opened this issue · 9 comments
In asio openssl implementation, when writing a server, one can use
context_->set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);Or use callback to verify client has the right certificate present, and rejects all clients that do not present the right cert.
Is there a way to do the same in wintls? If not how to support it?
You can enforce verification of the service certificate with the verify_server_certificate member function on the boost::wintls::context.
There currently isn't any way to add a callback for certificate validation for the simple reason that I forgot to implement it :-)
It should be trivial to add though so I hope I can find the time to add that soon. Otherwise a pull request would be very welcome.
To be clear, I want the server to verify client certificate.
See: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_verify.html SSL_VERIFY_PEER section Server mode part.
When a client connects to the server, I want the server to verify the client certificate.
In Schannel documentation: https://docs.microsoft.com/en-us/windows/win32/secauthn/performing-authentication-using-schannel
Authenticating the Client
Schannel does not validate client's certificates; the server must perform this authentication manually.
I don't think this feature is implemented in this library.
Sorry, I misunderstood you even though you made it very clear from the issue subject. My bad.
Client certificate validation is currently not implemented.
I would like to implement it when I find the time to do that, otherwise a pull request is also very welcome.
This library with this feature is one of the ways to solve the problem I am facing. I may make a PR if I decide to pursuit this route.
Thanks for making this library, it is allowing running asio apps in production on windows, since the cert keys are in windows cert store and openssl cannot access the private key.
So I guess we should create two separate issues. One for adding callbacks to validate server certificates (although that wasn't your actually issue) and one for implementing client certificate validation. Would that be OK with you?
I'm happy to hear this library is useful to you. I don't really have any use for it myself but since no one else had implemented it seemed like a good way to get my hands dirty with some more low level asio code.
Yes we can create 2 separate issues.
I will implement this feature in the following steps:
- Baseline client ssl validation. Get the basics right, and test with openssl server & client. #55
- Introduce context function similar to
ctx.set_verify_mode(ssl::verify_peer)to support more verify mode and make the API similar to openssl APIs in asio. - Enhance the sspi_handshake state
- Testing with incompatible certs and verify error code
And so on to be added here.
I've forgotten all about this issue. I assume we can agree that it has been fixed with you commits and can be closed?
Thanks.
The basic issue is fixed, client cert validation is working. The public API for setting the cert can be enhanced/changed to look more like the openssl version. But currently I don't have the time to implement this.
I will close the issue, and reopen or open a new one in future.
FYI, I switched to use http.sys instead of asio+beast, which has built in windows ssl support.