0

I'm writing a client/server program to control a machine(server) from a client program and want to authenticate the client machine to know it's trusted. I could have many clients so I thought about using openSSL to encrypt a socket and generate a unique certificate/key pair for authentication. This pair would be copied during setup time with scp to each server/client. The server program, when the SSL connection is established, will ask for the client's certificate and verifies it against the key (actually private key). So if they both matches the connection continues, if not it's dropped.

Some things to consider:

  1. I cannot use a CA to authenticate certificates, it will be self signed, because the machines will not even have internet access and don't want to over-complicate the installation if possible.
  2. The certificate/key will be only readable by valid users in the linux machines (client and server) and disks will be encrypted.

Seems to work so far, but I have some questions as I'm just starting with this openssl thing.

My questions are:

  1. Is it bad practice to copy the certificate/private key to all nodes?
  2. Could someone see some point of failure in the authentication process or certificate storage that could weaken the idea ?

I've read posts like Peer to Peer linux authentication in C but didn't help.

The way I'm doing it now in the server is the following:

  1. SSL_CTX_use_certificate(ctx, client_cert) <-certificate given by client
  2. SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <-key stored in the server
  3. SSL_CTX_check_private_key(ctx) <-check both

So if SSL_CTX_check_private_key(ctx) returns 0 is because private key and certificate doesn't match and the client was not authorized, so I drop the connection.

I really appreciate your opinion about this. If more code is needed will paste it here, but I think the idea could be followed.

Community
  • 1
  • 1
robpelu
  • 1
  • "Is it bad practice to copy the certificate/private key to all nodes" - If you're doing as you described, you're not doing this. Each client is getting a unique derived certificate. None of the clients should have the same cert, and it sounds like that you have that right. Are you using DH or some other key exchange mechanism for distributing the cert to the client, or is it just a remote file copy? Finally, I usually have a middle-cert derived from my server root cert that is solely responsible for deriving client certs. I.e. ServerRootCA --> ClientRootCA --> ClientCert. ymmv. – WhozCraig Nov 19 '13 at 01:52
  • Hi Whozcraig thanks for your answer. My actual setup is one private key and certificate derived from it and those 2 are copied with secure copy(scp) to each client. Just one pair for the whole system, I don't know how to do it otherwise. When the client and server are doing the handshake, from the server I could call SSL_get_peer_certificate(ssl) to get the cert from the client and compare it to the local private key of the server (remember they should be the same for all the nodes). – robpelu Nov 19 '13 at 23:03

0 Answers0