Topic: Client authentication still passed even without client-key/cert.pem

Iā€™m encountering a strange problem: Client authentication still passed even though client-cert.pem and client-key.pem are not loaded in wolfssl client. Client authentication check has been enabled at server side.

Client side (STM32F2+FreeRTOS):
1)    Add wolfssl files into my project.

2)   
#define FREERTOS
#define WOLFSSL_LWIP
#define WOLFSSL_STM32F2
#define WOLFSSL_IAR_ARM
#define WOLFSSL_STATIC_RSA

#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA

#define WOLFSSL_LOW_MEMORY
#define DEBUG_WOLFSSL
#define NO_INLINE
#define NO_WOLFSSL_SERVER
#define NO_DES3
#define NO_DH
#define NO_MD4
#define NO_RC4
#define NO_MD5
#define NO_SESSION_CACHE
#define NO_ERROR_STRINGS
#define NO_OLD_TLS
#define NO_PWDBASED
#define NO_HC128
#define NO_SHA512
#define NO_DSA
#define WC_NO_RSA_OAEP
#define NO_CERT
#define USER_TICKS
#define USER_TIME
#define USER_TIME_TJZ_DEF

3)    Key code:

wolfSSL_SetLoggingCb(wolfSSL_Logging);
wolfSSL_Debugging_ON();
wolfSSL_library_init();
wolfSSL_load_error_strings();

ssl_ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
wolfSSL_CTX_set_cipher_list(ssl_ctx, "AES128-SHA");
//wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, 0);
wolfSSL_CTX_load_verify_buffer(ssl_ctx, ca_cert_der_1024, sizeof_ca_cert_der_1024, SSL_FILETYPE_ASN1);

sockfd = socket(xxxx);
connect(sockfd, xxxx,xxxx);

ssl = wolfSSL_new(ssl_ctx);
wolfSSL_set_fd(ssl , sockfd );

4)    Use wolfSSL_read()/wolfSSL_write() to send and receive message from server.

Server side: Node.js
Key code:

    var wsCa = fs.readFileSync(path.resolve(config.secure.wsCa), 'utf8');
    var wsServerCert = fs.readFileSync(path.resolve(config.secure.wsServerCert), 'utf8');
    var wsServerKey = fs.readFileSync(path.resolve(config.secure.wsServerKey), 'utf8');

    var wsOptions = {
        key: wsServerKey,
        cert: wsServerCert,
        ca: wsCa,
        requestCert : true,
        secureProtocol: 'TLSv1_2_method',
        ciphers: [
            'ECDHE-RSA-AES128-GCM-SHA256',
            'ECDHE-ECDSA-AES128-GCM-SHA256',
            'ECDHE-RSA-AES256-GCM-SHA384',
            'ECDHE-ECDSA-AES256-GCM-SHA384',
            'DHE-RSA-AES128-GCM-SHA256',
            'ECDHE-RSA-AES128-SHA256',
            'DHE-RSA-AES128-SHA256',
            'ECDHE-RSA-AES256-SHA384',
            'DHE-RSA-AES256-SHA384',
            'ECDHE-RSA-AES256-SHA256',
            'DHE-RSA-AES256-SHA256',
            'HIGH',
            '!aNULL',
            '!eNULL',
            '!EXPORT',
            '!DES',
            '!RC4',
            '!MD5',
            '!PSK',
            '!SRP',
            '!CAMELLIA'
        ].join(':'),
         honorCipherOrder: true
    };

    ws_server = https.createServer(wsOptions, app);
    wss = new WebSocketServer({
        server: ws_server
        });

Can you pls help to find the cause of the problem?

Thanks a lot!
Jack

Share

Re: Client authentication still passed even without client-key/cert.pem

Hi Jack,

When using TLS 1.2, if the client doesn't send a client certificate, the server can choose what to continue or error out.  From RFC5246[1]:

If the client does not send any certificates, the
server MAY at its discretion either continue the handshake without
client authentication, or respond with a fatal handshake_failure
alert.

From the node.js documentation, it looks like you might need to add the rejectUnauthorized option to your server config, ie "rejectUnauthorized: true".  Can you give that a try?

Thanks,
Chris

[1] https://tools.ietf.org/html/rfc5246#section-7.4.6

Re: Client authentication still passed even without client-key/cert.pem

Hi Chris,

Sorry for the late response. The problem got solved. One cause is rejectUnauthorized needs to be true, the other cause is the certificate/key files were not generated correctly.

Thanks again for your support.
Jack

Share

Re: Client authentication still passed even without client-key/cert.pem

Hi Jack,

Great, thanks for following up and letting me know what helped.

Best Regards,
Chris