0

I'm currently testing an mTLS scenario server and client using boost asio. Each party has its own certificate and key, using self signed CA root (OpenSSL).

It works as expected, however there is a major issue which after searching quite a lot, came to a dead end. I need to be able to revoke client side certificates at any point in time.

So the question is, how to revoke certificates from clients? (make asio server refuse them)

I tried several options in the boost asio context without success, I could not find a way to revoke the client side certificate.

danronmoon
  • 3,814
  • 5
  • 34
  • 56
Mecanik
  • 1,539
  • 1
  • 20
  • 50
  • I imagine you'll have to implement this yourself in the certificate validation callback. See https://stackoverflow.com/questions/2913440/openssl-how-to-check-if-a-certificate-is-revoked-or-not for details (though those instructions may be out of date) – Alan Birtles Dec 04 '22 at 08:33
  • @AlanBirtles Thanks, I've found these articles but unfortunately there is no viable sample to go on... and all of them almost mention cert store. Really sad. – Mecanik Dec 04 '22 at 12:04
  • 1
    I think if you want to handle CRLs you might have to have a certificate store – Alan Birtles Dec 04 '22 at 13:05
  • Nothing here is related to Boost or Asio. PKI is hard and there are different "religions" about revocation. ISTR there is a standardized revocation list interface but few infrastructures implement them in standardized form - I think I remember it being for scalability reasons - but also consider when systems are offline or have unreliable connectivity. It would really make connections very costly or sometimes even impossible. – sehe Dec 04 '22 at 15:00
  • @AlanBirtles Indeed, but perhaps I use LetsEncrypt for example? – Mecanik Dec 04 '22 at 15:15
  • @sehe I disagree, there should be some example for how to use verify callback in order to check if certificate is still valid... – Mecanik Dec 04 '22 at 15:16
  • @Mecanik That example is e.g. `example/cpp{03,11}/ssl/client.cpp`. However your question "So the question is, how to revoke certificates from clients?" is out of scope. It asks how to _implement_ the callback. You might find something in e.g. OpenSSL documentation or that of your PKI provider – sehe Dec 04 '22 at 15:21
  • E.g. `openssl verify` takes flags (like `-crl_check`, `-crl_check_all` and `-extended_crl`). This comment here links to more background that I was hinting at (e.g. why Chrome doesn't use CRLs): https://security.stackexchange.com/questions/232417/openssl-shows-a-revoked-certificate-as-secure#comment474988_232417. That site is probably a better match for details about certificate revocation. – sehe Dec 04 '22 at 15:24
  • @sehe Thanks, after investigation it seems that the verify_callback wrapper from asio replaces the original verification callback which makes it really unusable for "custom" checking. If it was an additional callback (pre/post) it would have been the exact solution I was looking for, allowing you to revoke any existent cert based on thumbprint, serial, etc. – Mecanik Dec 04 '22 at 21:28
  • @Mecanik reading the docs [I don't know what more information you could require](https://www.boost.org/doc/libs/1_80_0/doc/html/boost_asio/reference/ssl__context/set_verify_callback/overload1.html#:~:text=True%20if%20the%20certificate%20passed%20pre%2Dverification) to achieve the goal. Regardless, you're mostly confirming that you have to solve this problem regardless of what libraries you use to implement the SSL details. Also, doing it based on thumbprint almost sounds like you want certificate pinning, which is so common I should think there will be multiple examples floating around. – sehe Dec 04 '22 at 21:52
  • @sehe I have read the documentation, which is why I said it looks like it overwrites the built in cert validation... which already sounds bad? Because I do not want to overwrite anything and break built in functionality, all I want is to say at any point in time: refuse cert 123456789. That's all really. – Mecanik Dec 05 '22 at 03:47
  • @Mecanik what do you think "preverified" means (or what do you mean with "it overwrites the built in cert validation..."). "all I want is to say at any point in time: refuse cert 123456789" - oh that's a LOT more concrete than all the verbiage that came before. If you can reword the question (making explicit what `123456789` represents), I can see whether I can code it up, or there would indeed be a limitation) – sehe Dec 05 '22 at 15:59
  • @sehe Can you come on our Discord? I can show you what I "cooked" up ("working"). – Mecanik Dec 05 '22 at 17:01

0 Answers0