0

I am attempting to connect to a remote server which requires mutual auth. I have received a .p12 file from the server, and used the following commands to generate my private key and client cert:

openssl pkcs12 -in my_dev.p12 -out clientCert.crt -nokeys -clcerts
openssl pkcs12 -in my_dev.p12  -nocerts -nodes -passin pass:mypassword | openssl rsa -out privkey.pem

And I have used the following code to setup a Manticore Client :

client = Manticore::Client.new(
    pool_max: 200,
    pool_max_per_route: 200,
    ssl: { verify: :disable, client_key: client_key , client_cert: client_cert })

url = "https://my_url.com"
resp = client.get(url).call

The response I am getting is this:

401 Unauthorized
Unauthorized
This server could not verify that you\nare authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.

I am very new to using mutual auth, and am not sure exactly where I am going wrong. Have I extracted the clientCert and privateKey correctly ? Am I suppling the key and cert to Manticore correctly ?

bkahler
  • 365
  • 4
  • 18

1 Answers1

1

You can use PKCS12 files directly from Manticore with the ssl[:keystore] option:

client = Manticore::Client.new(
  pool_max: 200,
  pool_max_per_route: 200,
  ssl: { keystore: "/path/to/auth.p12", keystore_password: "your_password" }
)

keystore is used for the certs you wish to present to the remote server, while truststore is used for the public certs you wish to use to validate the identity of the remote server; you should probably not use verify: :disable in this case, since you do want to validate the identity of the other end of the connection.

Chris Heald
  • 61,439
  • 10
  • 123
  • 137
  • Thanks for the reply Chris. I have set up the client as you outlined above, but now I get this error : "Manticore::ClientProtocolException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Is that an issue with my client or with the server ? – bkahler Aug 05 '15 at 20:28
  • 1
    That's likely due to Manticore not being able to validate the server's certificate (ie, because it's not a CA-signed cert, and/or because you lack the proper certs). `:truststore` will allow you to specify a trust store to use (ie, one containing the public half of the server's SSL cert), or you can provide `ca_file` which is an X509 certificate chain. – Chris Heald Aug 05 '15 at 20:30
  • 1
    Also, you can try it with `verify: :disable` to see if that is indeed the problem, though as I mentioned I don't recommend that for production usage, since it mean you could potentially connect to an untrusted server. – Chris Heald Aug 05 '15 at 20:31
  • With `verify: :disable` I get the following: `401 Unauthorized Unauthorized ”This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.”` Should I be using the p12 I was provided as is, or do I need to make a conversion somewhere ? I have also contacted the server side team to make sure everything is configured as expected on that end. – bkahler Aug 05 '15 at 20:50
  • 1
    You *should* be able to use it as-is. The [Manticore specs](https://github.com/cheald/manticore/blob/master/spec/manticore/client_spec.rb#L150-L182) for client auth have an example of using a .p12 store. You can probably test the file with `openssl s_client` to see if it auths correctly outside of Manticore. It's possible that you've found a bug, too - client cert auth is not extensively tested, but I'm happy to help figure it out and fix it if that's the case (I'm the author of Manticore). – Chris Heald Aug 05 '15 at 20:54
  • I've run `openssl s_client -connect my_url.com:443 -ssl3` ... what am I looking for here ? Sorry for the back and forth, but I'm very new to this. – bkahler Aug 05 '15 at 21:20
  • You can test if the p12 file works for auth with womething like: `openssl pkcs12 -in [PKCS12 file] -out [whatever].key; openssl s_client -tls1 -connect servername.com:443 -cert [whatever].key -key [whatever].key`. Also make sure it's a valid client auth cert as described [here](http://stackoverflow.com/a/13127870/271475). – Chris Heald Aug 05 '15 at 21:26
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/85249/discussion-between-bkahler-and-chris-heald). – bkahler Aug 05 '15 at 22:37
  • So long after we had this discussion, it turns out that my target server, required both mutual auth and basic auth. Manticore is working as expected. – bkahler Nov 10 '15 at 18:53
  • Ah! Good to know. Thanks for the follow-up! – Chris Heald Nov 10 '15 at 19:05