Re: [asio-users] ssl server supporting multiple certificates and multiple private keys...
Brought to you by:
chris_kohlhoff
From: leon z. <leo...@gm...> - 2010-05-28 04:17:06
|
On 5/27/10, Juraj Ivančić <jur...@gm...> wrote: > On 27.5.2010 10:57, leon zadorin wrote: >> On 5/27/10, leon zadorin<leo...@gm...> wrote: >> >>> I would, ideally, like to have a server which would support, >>> concurrently, 2 different certs (each signed with a different >> [...] >>> Would this be possible (in boost::asio::ssl) ? > > OpenSSL which ASIO uses is very flexible with certificates. E.g. it is > possible to configure your SSL server to use certificate signed by CA1 > and allows only client certificates from CA2 and CA3. > > By default - client certificate is not needed for establishing SSL - > only server certificate and private key are needed. These are set in > ASIO using > boost::asio::ssl::context::use_certificate_file and > boost::asio::ssl::context::use_private_key_file. Yes -- but I wasn't really asking about client certificates (I'm sorry if this was not 100% clear in my previous explanations), I was rather asking about a server having *multiple* *server* self-signed certificates (i.e. 2, each signed with a different private key) and clients connecting to server using any of the multiple "server" certificates (to validate the target server)... for the reasons outlined in the 1st post. So, for example, there are 2 clients -- each has stored a server's certificate (to connect to server and to validate that it is indeed connecting to the valid server)... The problem is that the server wants to update *it's* self-signed certificate (and clients have the capacity to automatically download the server's updated/new self-signed certificate to the client-side securely and then restart/reconnect with the newly downloaded server certificate)... but some clients may not come online for a while (let's say 3 days), whilst other clients are online now (so they will connect and upgrade to use the new server certificate) but may go offline later on. Then in a couple of days time we have a situation where some clients will be validating their connection to the server using server's new certificate and some clients will be trying to validate their connection to server using server's old certificate... So, essentially, I'd like to have a server which will support 2 certificates to allow for older clients to connect and upgrade (like a transition time-window) in a sense of the server being able to be *validated by clients* via 2 different certificates. I'd like to see if this (as opposed to other alternatives such as running a second instance of the server or using a paid-for certificate as opposed to self-signed ones thusly delegating the issue elsewhere) is possible in boost::asio for the reasons outlined in my 1st post. Kind regards Leon. > In case you want to verify client certificates you should call > boost::asio::ssl::context::set_verify_mode > with appropriate parameters (e.g. > boost::asio::ssl::context::verify_peer | > boost::asio::ssl::context::verify_fail_if_no_peer_cert ) I think it's the other way around -- there is 1 entity (server) which is *being verified* and many entities (clients) which *are doing the verifying* but via different self-signed certificates (each certificate nevertheless relating to the same *being verified* entity -- the server)... > More detailed description can be found here: > > http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html I'll dig around there... hopefully it is of relevance to the subject at hand... thanks for the pointers. Kind regards Leon. |