SSL Server with Client Certificates

[ Start > PikeDevel > HowTo > SSL Server with Client Certificates ] [ Edit this Page | Show Page Versions | Show Raw Source ]

SSL.context is the control point for the SSL module. Server and Client objects expect a configured context to tell it what kind of SSL connection you want to set up: things such as server certificates, acceptable cipher families, etc.

What's the difference between an authority and a trusted issuer?

these two terms sound similar, but in reality, they're different things: an authority is someone (a CA presumably) who we will accept to sign a peer's certificate, and a trusted issuer is a CA that we trust to sign certificates and /or delegate CA authority. If we are requiring trust for the peer's certificate chain, any certificate presented to us by the peer must eventually arrive at a trusted issuer.

put another way:

the trusted issuer is a root authority. suppose we have a certificate authority supersign, and we set supersign as an authority, the root of any certificate chain provided to us must be signed by supersign.

Examples:

mycert is signed directly by supersign and we provide only our certificate. this passes.

mycert is signed by supersigntoo, a ca that supersign has provided a certificate for. if we only provide our certificate, the server doesn't know supersigntoo, so verification fails.

mycert is signed by supersigntoo, a ca that supersign has provided a certificate for. if we provide the chain of certificates that links supersigntoo (a CA we don't trust) to supersign (a CA we do trust), verification passes.

authorities, on the other hand, only operate on the peer's certificate itself. if a list of authorities is provided, the peer's certificate must be directly signed by an authority.

When presented with a certificate from the client, the server can optionally perform certificate verification. The first thing that happens is the issuer of the peer's certificate is extracted. Then, if the context contains authorities, each one is compared against the issuer of the client's certificate. If there are authorities and none of them match the issuer, then verification fails. Otherwise, the verification process continues on.

The second step takes the list of trusted issuers, if present and verifies that the root certificate in the chain is in that list of trusted issuers. If the context has specified that trust is required, and there are either no trusted issuers, or none that match the root of the certificate chain verification fails and the connection is aborted.

Powered by PikeWiki2

 
gotpike.org | Copyright © 2004 - 2009 | Pike is a trademark of Department of Computer and Information Science, Linköping University