authentication,ssl,https,ssl-certificate,x509 , Client certificate authentication

Client certificate authentication


Tag: authentication,ssl,https,ssl-certificate,x509

I am new to SSL and Certificates . I have been doing my research about client certificate authentication. I have read this and wiki.

So If I have to implement a client certificate auth solution for my B2B REST service should I do following

  1. Ask clients to generate their own private-public key and generate certificate (CA issued?) for their public key. Send that certificate over email or USB key.
  2. On the server side import client's public certificate into trust store and enable client authentication
  3. During the hand shake client presents it's certificate and gets authenticated, because server has a copy of cert in it's trust store and can verify CertificateVerify message

My question is how does it stop anybody to pose as my client. Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access.


I've to break down your question into two parts.

Part one: Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access.

If X aquires the client certificate of an authentic client then that's ok. Because the certificate itself does not contain any secret. Those certificate can be published anywhere without doing any damage (Except if you want to keep your email address a secret, try not to publish it. But it may will get out there after some time. And company crafted X509CertificateExtensions are not considered as well.).

The private key is the important key which must be kept secret by your client. If X gets the private key as well, X can impose an authentic client and login into your system. Therefore clients must protect those private keys from getting stolen!

That's because within the client-auth handshake, the server not only requests the client certificate. The client must also prove that he's the real owner of the certificate, by using his private key as stated in the wiki you referenced: The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. Such a signature can only be done if the client posesses the private key belonging to the certificate, as stated in the wiki as well: This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.!

Part two: How do establish a initial trust relationship?

That part is difficult if there are many clients involved. That's why the PKI was established. You trust the CA, and the CA should to the identity check on that clients who request a certificate.

For homebrew solutions in which case you have your own CA, or you don't trust a CA, the part is up to you. You must be sure that you grand access to your services only to authentic clients. If you do this via USB keys and the clients hand them over to you in person, that's ok.

If you receive an email which says "hello, i'm your friend XYZ from ABC, remember? Btw. here's my certificate" - check it twice.


ArgumentError - unknown SSL method `TLSv1_2'

I am trying to move my AWS integration over TLS instead of SSLv3, but I'm receiving an error when trying to set the config.fog_credentials as another SO post has suggested, but I am receiving the ArgumentError above (unknown SSL method 'TLSv1_2'. I am open to a different solution to move...

Server Authentication in Swift 2.0 & XCode 7 broken

I just updated my code to Swift 2.0 to work with Xcode 7. My App performs NSURLAuthenticationMethodServerTrust and NSURLAuthenticationMethodClientCertificate authentication. The problem is NSURLAuthenticationMethodServerTrust authentication stopped working on my simulator - but still works on my test device with iOS 8.3. Besides my old project which is not Swift 2.0,...

Is it nessesarry to send credentials on every single request to MVC Web Api?

I am about to create my first restfull web service where i chose MVC WEB API to be the "provider". After reading about authentication i am a little confused. My requirements is that on call to any url of webservice i want client to be authenticated, except sign in url....

Riak CS LDAP authentication

I read here that Riak CS supports LDAP for authentication: "Pluggable Authentication/Authorization for Integration with Existing Infrastructure – Riak CS provides an extensible authentication system, enabling integration with existing directory services (LDAP, ActiveDirectory, NIS, PAM)." However I cannot find anything relating to the LDAP authentication configuration in the docs....

How to create a private certificate for connecting to a website

My apologies if this is a duplicate, I may just not be using the correct terminology in my queries to find what I am looking for. I have a vendor that sent me a certificate to install in my browser so that we can access their website. We cannot get...

Web API Basic Auth inside an MVC app with Identity Auth

So I have a C# MVC app using Identity for its authentication. I now have a need to expose a few things via Web API to some of my clients. Instead of building a separate app, project, deployment... I've simply added an API Controller to my existing project. To keep...

Simple token-like authentication

Does the following authentication system seem reasonable: Client calls the login end point with a user name and password to the main server. The main server sends this off to another authentication server (which will receive no further mention), which returns a yes/no if this is valid and a user...

Starting a tls communication with python asyncio

I have some python code snippet that uses asyncio and initiates a "plain" connection: loop = asyncio.get_event_loop() coro = loop.create_connection(lambda: MyCustomClassProtocol(loop), sock=client_socket) loop.run_until_complete(coro) The point is my plain connection switches to a tls one once some exchanges have happened. In the traditional way one would do this: ssl_sock = ssl.wrap_socket(client_socket,...

How to make a website work only with https [duplicate],ssl,https
This question already has an answer here: How to force HTTPS using a web.config file 3 answers How do I make a website to work only with https? Is there any method to make my website work only if the protocol is https? For example let me say,...

serving GAE applications over http

I have implemented an application on GAE which can be accessible through https://<my_app_id> Now I have a custom domain registered with As described in GAE documentation I have mapped my custom domain to https://<my_app_id> and I see my application getting served from my custom domain. But I see requests...

How to disable common name check in SSLContext in java?

I am using SSLContext so set up Jersey client, and need to disable the common name check in order to avoid unnecessary issues. However, I can find no documentation as to how we can do it correctly. So is the common name check disabled by default in SSLContext (assuming using...

How to respond in Middleware Slim PHP Framework

I am creating middleware for auth into REST API. My API is created using Slim PHP Framework ,which in case provide great features to build APIs. One of this feature is Middleware. I need to check credentials in Middleware and respond with an error (HTTP code with JSON descriptions) to...

Self-signed Certificate and Client Keystore for SSL Authentication

I need to create and install a self-signed certificate on the server (an XML hardware appliance) to do SSL authentication of a Java client/application which, through its interface configuration, can set keystores, i.e. .jks. I only need this setup for testing purposes and not production, for obvious reasons. Here's how...

Third-party security providers like Google, Twitter etc. in ASP.Net,authentication
I have created a standard ASP.Net web project in Visual Studio 2013 and enabled authentication. A class called 'StartupAuth.cs' is created auotmatically, with following lines. When the app runs on localhost dev server it throws an exception as pasted in screen shot below the code. I need to have it...

How can i get Certificate issuer information in python?

I want the 'issued to' information from certificate in python. I try to use the SSL and SSLSocket library but did not happen. ...

Subject Alternative Name not present in certificate

I have generated a CSR that includes the field subject alt names: openssl req -out mycsr.pem -new -key mykey.pem -days 365 When I inspect this it looks as expected with a new field present: X509v3 Subject Alternative Name: DNS: my.alt.dns However when I use this to sign a certificate that...

shall I use Spring framework for a performance-critical proxy application? [closed]

I've created a servlet (Tomcat) application which has these functions: It performs HTTP Basic Authentication. It connects to a user and role database. It works as "security facade" for some geodata servers behind It forwards requests after doing some authorization tests In case the response contains XML data, it performs...

Multi service with one-login authentication (Single sign-on)

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. (from wikipedia) now, I have more web service:...

python requests with redirection

Trying to authenticate on site, noticed that there were a redirect to Found that there were 302 POST with plain credentials in data form. Copying headers from Chrome can reproduce that in cURL, but still can't reach in requests module. Warning: page is full of russian letters, registration...

SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key?

Wouldn't anyone else be able to decrypt it too using the public key? Or is it saying that it will be decrypted with a private key. If that's the case how could something be encrypted with one key and decrypted with another? This is in reference to this wikipedia article....

Authentication with OAuth and JWT but without OpenID Connect

I’m wondering if I really need OpenID Connect to provide authentication on top of OAuth2. It seems to me if I generate JWTs (JWE) as my access token and I store user claims, roles/permissions, etc. in the access token, then the OpenID Connect's id token isn't needed. Resource servers can...

SSLV3_ALERT_HANDSHAKE_FAILURE with SNI using Tornado 4.2 in Python 2.9.10

I have an issue setting the SNI flag correctly using ssl.SSLContext in Python 2.7.10, the handshake fails every time and I can't figure out why. Here is how I tried to do it: import ssl import socket if ssl.HAS_SNI: print "SNI is available" print(ssl.OPENSSL_VERSION) context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) context.load_cert_chain('cacrt.pem', 'cakey.pem', 'password')...

How do you unblock the 993 port if your firewall settings is blocking it?

I am trying to retrieve my emails from Gmail using php. for writing the host name, this is my code: $hostname = '{}INBOX'; I am getting this error: Warning: imap_open(): Couldn't open stream {}INBOX in /home1/mtc/public_html/mtcerp/emailparser/email.php on line 10 Cannot connect to Gmail: Can not authenticate to IMAP server: [CLOSED]...

Same system, same code, different behaviors: The request was aborted: Could not create SSL/TLS secure channel

There are many questions about "The request was aborted: Could not create SSL/TLS secure channel." error message and it seems very few of them were answered. I couldn't find any answer about my case, also my problem is little bit different. I have a Windows Service. It sends data to...

SSL Handshake in Java Servlet (HttpsURLConnection)

I have a java web application that requires a servlet to open a connection with a url that returns some data in the form of JSON back to the servlet for processing. Traditionally this was done using an HttpURLConnection and everything worked as planned. Now, we have added as self-signed...

Using middleware to call an Authentication API using ExpressJS

I'm using two Node.js + Express applications: Backend Authentication And my front-end is built in AngularJS Basically I'm trying to send a json web token with every request to the Backend, and then use a route middleware to call the Authentication API. It validates that token and add user data...

Create OpenSSL certificates signed by myself

I'm using boost ssl for server and client, and I have a model for server/client program in my mind, and I'm not sure it's gonna work. The model I have in my mind is to be the only authority for certificates of my program. My main question is: How can...

NPM Error: self signed certificate in certificate chain

I am following the Angular 2 quick start guide and I'm stuck right at the beginning of it. My company is filtering our network connections and modifying SSL negociation. In a man in the middle style they assign a self signed certificate as the CA of the destination's certificate. Therefore...

Connecting to database using Windows Athentication

I would like to use window authentication in my program to connect to my sql server. users already have certain permissions on the SQL server and I would like to leverage that in my program. The way I currently connect to the server is using this connection string. Dim ConnectionString...

How to enable multiple login tries in forms authentication?

I have a MVC project with forms authentication. Basically it works fine: The user wants to access a controller with Authorize-Attribute and gets redirected to login-page if not authenticated. On redirect the parameter returnUrl gets forwarded as well. However, in case the first try of the login fails, the return...

How does DNS server know the IP address of an SSL's URL?

The SSL/TLS (https) protocol encrypts both of the web page url and its content. So I'm wondering how could the DNS server know the ip address of the requested url if it is encrypted? Any documented reference or idea?

Issue with understanding keystore and ssl

These are the facts: I have a client(android)-server(java - Ubuntu 14.04)-program with which I transmit my gps-data from my smartphone every 5 minutes to the server saving it into a mysql-database. My problem is that I do not want to transmit my GPS data plain. So I want to use...

Redirecting http to https

I'd like to redirect all of my http traffic to https, currently in my htaccess file I have the following redirecting my http traffic: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] </IfModule> This redirects all of my non-www to www. What is the best way to...

Difference between django.contrib.auth.login and django.contrib.auth.views.login

What's the difference to use django.contrib.auth.login or django.contrib.auth.views.login? First in and second in I saw that code and it differs from each other. Same is with some other views, for example 'logout'. As I understand, django.contrib.auth.views.login is used when I want to redefine some parametrs of that view?

ssl certificate with and without www

I have a website that installed a ssl certificate for the name of It works fine for But it doesn't work for The browser gave me Error code: ssl_error_bad_cert_domain. I am using Apache 2. I tried to rewrite the url to add www in httpd-ssl.conf, see the...

Bluemix authentication ios8 with google and facebook

I am trying to implement two types of authentication from an iOS8 device in the bluemix platform. I succeeded in adding one type of authentication: google. I am using a ADVANCED MOBILE ACCESS module, and I am at the User Authentication part. It looks from a dashboard like I can...

Rails, DNSimple, Heroku and SSL - do I need a certificate?

So I'm currently deploying my app via Heroku. I noticed that in has HTTPS, so if I do config.force_ssl = true in my environments/production.rb it seems like I have wildcare SSL, right? Now I'm using DNSimple to get my actual name - call it Which currently resolves to...

Wildcard SSL - Which to chose and what is the key differences?

I have been left in confusion for quite some time in deciding which CA should i approach to obtain a SSL certificate. Much comparison has been made from different CA but I do not see what is the key differences that sets each other apart except the price they offer....

Roundcube - Nginx does not redirect to .php file automatically

EDITED! I set up a mail server on Debian 7 with Nginx, Postfix, Postfixadmin, Dovecot and Roundcube. I tried to create an alias to use the SSL certificate of my domain (of course, the domain here is an example) for the webmail. When accessing the following URL -...

Websocket SSL connection

I am trying to test a secure websocket but I'm having trouble. Here is my test: var WebSocket = require('ws'); describe('testing Web Socket', function() { it('should do stuff', function(done) { var ws = new WebSocket('wss://localhost:15449/', { protocolVersion: 8, origin: 'https://localhost:15449' }); ws.on('open', function() { console.log('open!!!'); done(); }); console.log(ws); }); });...

Wildfly mysql with SSL

I have a web app using a mysql database as its data store. It is currently running in Glassfish and talking to that mysql database with SSL. I am thinking about migrating to Wildfly but I can't seem to create a Wildfly datasource that will talk to the mysql database...

Error Hashing + Salt password

Someone can help me to fix this problem: TypeError: can't concat bytes to str I am trying to safely store hash+salt passwords, I think the problem is that my salt is a byte object how can I transform it into a string? Or is there a way to hash it...

Rails basic auth not working properly

I am building a small API that uses basic authentication. What I have done, is that a user can generate a username and password, that could be used to authenticate to the API. However I have discovered that it is not working 100% as intended. It appears that a request...

Laravel 5: How to add Auth::user()->id through the constructor ?

I can get the ID of the authenticated user like this: Auth::user()->id = $id; Great it works, ... but I have a load of methods which need it and I want a cleaner way of adding it to the class as a whole,so I can just reference the $id in...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

I am working on an Android app that requires Client Certificate Authentication (with PKCS 12 files). Following the deprecation of all that's apache.http.*, we have started a pretty big work of refactoring on our network layer, and we have decided to go with OkHttp as a replacement, and so far...

Java client certificates and keystores

we are trying to build a MUTUAL/2WAY authentication mechanism. Because we hit two different hosts, we have the same client certificate stored in the client keystore container under two different aliases (please note the same fingerprint): [email protected]:/opt/golem# keytool -list -keystore ./client.keystore -storepass ________ Keystore type: JKS Keystore provider: SUN Your...

Loopback Angular SDK response code 401 intercept

I'm using the Angular Loopback SDK and am trying to implement a 401 handler that automatically detects when the user needs to authenticate. Loopback responds to a data request with a 401 and I use that to invoke a login dialog. Basically using the strategy described here - However,...

Getting SSLHandshakeException in java

I ma getting SSL Hand Shake error in eclipse while calling https restful web service from simple java stub but, can access this URL from browser after importing Client Digital Certificate to browser which was shared by service provider. Hiding End point URL for security purpose. Please help me, i...