client certificate authentication

[akhileshsarda]

Hi
I want to allow only specific client to connect to server (running as ./simple_example), using ssl/tls certificates.
So that it reads the client's certificate verifying its authentic then will start communication.
In my case, i tried creating certificates (using openssl) which i pass as argument to server, but it seems that server sends these files to any client which tries to connect it. So it's able to communicate over HTTPS.
But, I want to allow a client which has server signed certificate.
How can do it ?

[babelouest]

Hello,

Right now you can't use https client certificate authentication in ulfius, but it's an interesting feature, I'll probably add it in a future release.
I'll keep you posted if you want to test this feature before I'll release it.

[akhileshsarda]

Yeah thanks That will be much helpful.

[akhileshsarda]

I think we can use MHD_start_daemon to authenticate client, for this will have to link application against gnutls. (Don't know how to do this)
Then need to specify the root CA we are willing to trust like:
daemon = MHD_start_daemon (MHD_USE_SELECT_INTERNALLY | MHD_USE_SSL, PORT, NULL, NULL, &callback_function, NULL, MHD_OPTION_HTTPS_MEM_KEY, key_pem, MHD_OPTION_HTTPS_MEM_CERT, cert_pem, MHD_OPTION_HTTPS_MEM_TRUST, root_ca_pem, MHD_OPTION_END);
Will have to look into to implement this in ulfius.

[babelouest]

Yes, that's my intention

[babelouest]

Hello @akhileshsarda ,

Can you test the client certificate authentication using the branch client-cert-auth?

You'll need GnuTLS library and you must enable websocket support to have client certificate authentication.

In there you have a new startup function called

int ulfius_start_secure_ca_trust_framework(struct _u_instance * u_instance, const char * key_pem, const char * cert_pem, const char * root_ca_pem);

It works the same as ulfius_start_secure_framework, except that it needs the root ca certificate in PEM format.

Then, on the callback function for an endpoint, you have the struct _u_request.client_cert new property as a gnutls_x509_crt_t type to access the client certificate if the client used one to authenticate.

Check the udated example_program/auth_example for an example of use:
https://github.com/babelouest/ulfius/blob/client-cert-auth/example_programs/auth_example/auth_server.c#L93

[akhileshsarda]

Ignore above comment.
I have followed steps from https://github.com/babelouest/ulfius/blob/client-cert-auth/example_programs/auth_example/auth_server.c to create and run.
But its not working..The server is running other side with ./auth_server server.key server.crt ca.crt

Is there anything wrong with certificates ?

[babelouest]

@akhileshsarda ,
There's probably nothing wrong with the certificates but something's weird.
In your screenshot it executes the non secure authentication tests.
Maybe you forgot to clean the code before rebuilding the example applications.

In my case, when I run auth_server on a terminal I have the following output:

test@test:/usr/src/ulfius/example_programs/auth_example$ ./auth_server server.key server.crt ca.crt
2018-12-04T22:40:53 - auth_server INFO: logs start
Start secure framework on port 2884
Press <enter> to quit server
2018-12-04T22:41:42 - auth_server DEBUG: dn of the client: C=CA,ST=Quebec,L=Quebec,O=Ulfius,OU=test-client,CN=localhost,EMAIL=webmaster@localhost
2018-12-04T22:41:42 - auth_server DEBUG: dn of the issuer: C=CA,ST=Quebec,L=Quebec,O=Ulfius,OU=test-ca,CN=localhost,EMAIL=webmaster@localhost

End framework

You can see the startup message is Start _secure_ framework on port 2884

On the client terminal, I have the following output:

test@test:/usr/src/ulfius/example_programs/auth_example$ ./auth_client client.crt client.key password
2018-12-04T22:47:23 - auth_client INFO: logs start
Press <enter> to run client certificate authentication test


status is
200


string body is 
client dn: 'C=CA,ST=Quebec,L=Quebec,O=Ulfius,OU=test-client,CN=localhost,EMAIL=webmaster@localhost', ussued by: 'C=CA,ST=Quebec,L=Quebec,O=Ulfius,OU=test-ca,CN=localhost,EMAIL=webmaster@localh
ost'

Can you try again the test, but first run make clean from ulfius root directory, then build the test:

$ cd ulfius
$ make clean
$ cd src
$ make && sudo make install
$ cd ../example_programs/auth_example
$ make
$ ./auth_server server.key server.crt ca.crt # on one terminal
$ ./auth_client client.crt client.key password # on another terminal

[akhileshsarda]

Thanks for quick response.

I tried doing clean up exactly as you mentioned above, but it didn't work. So, i cloned it on new setup, there also it showing same error. (It works in master branch but it is in non secure mode)
Do i need to do some kind of enabling (websocket) in after building newly cloned repo. ?

You'll need GnuTLS library and you must enable websocket support to have client certificate authentication.

[babelouest]

Websocket support is enabled by default.

Have you checked out the branch client-cert-auth?

$ git checkout client-cert-auth

[babelouest]

From the beginning, the commands should look like this:

$ git clone https://github.com/babelouest/ulfius.git
$ cd ulfius
$ git checkout client-cert-auth
$ cd src
$ make && sudo make install
$ cd ../example_programs/auth_example
$ make
$ # generate or copy the certificates
$ ./auth_server server.key server.crt ca.crt

[akhileshsarda]

Yes, I did the same. I am doing this after checking out in client-cert-auth.
I followed INSTALL.md
apt-get install libmicrohttpd-dev libjansson-dev libcurl4-gnutls-dev libgnutls28-dev libgcrypt20-dev
then downloaded Orcania, Yder and Ulfius source code from Github, compiled and installed Orcania, then Yder, then ulfius.

Only thing i changed is Makefile in auth_example as it was failing while building.(as it depends on libyder as follow)

diff --git a/example_programs/auth_example/Makefile b/example_programs/auth_example/Makefile
index 869bee7..3a8c841 100644
--- a/example_programs/auth_example/Makefile
+++ b/example_programs/auth_example/Makefile
@@ -17,7 +17,7 @@ ULFIUS_LOCATION=../../src
ULFIUS_INCLUDE=../../include
EXAMPLE_INCLUDE=../include
CFLAGS=-c -Wall -I$(ULFIUS_INCLUDE) -I$(EXAMPLE_INCLUDE) -D_REENTRANT $(ADDITIONALFLAGS)
-LIBS=-lc -lgnutls -lulfius -lorcania -L$(ULFIUS_LOCATION)
+LIBS=-lc -lgnutls -lulfius -lorcania -lyder -L$(ULFIUS_LOCATION)
ifdef YDERFLAG
LIBS=$(LIBS) -lyder

[babelouest]

OK there's a small bug in the example_programs/auth_example/Makefile, I will fix it soon, thanks.

Concerning your initial problem (testing auth_example with certificates), I don't understand it yet. Can you copy-paste your console output again?
Also, can you copy-paste the content of your file ulfius/inlude/ulfius-cfg.h ?

I'll try to figure out what's missing

[akhileshsarda]

Git status:

akhilesh@akhilesh:~/akhilesh/ulfius/example_programs/auth_example$ git status
On branch client-cert-auth
Your branch is up-to-date with 'origin/client-cert-auth'.

The below is console output:
Terminal 1:

akhilesh@akhilesh:~/akhilesh/ulfius/example_programs/auth_example$ ./auth_server server.key server.crt ca.crt 
2018-12-06T21:39:24 - auth_server INFO: logs start
Start framework on port 2884
Press <enter> to quit server

Terminal 2:

akhilesh@akhilesh:~/akhilesh/ulfius/example_programs/auth_example$ ./auth_client client.crt client.key password
2018-12-06T21:40:08 - auth_client INFO: logs start
Press <enter> to run auth tests no authentication

2018-12-06T21:40:09 - auth_client ERROR: Ulfius - Error executing curl command: Couldn't connect to server
Error in http request: 5
Press <enter> to run auth tests success authentication

2018-12-06T21:40:12 - auth_client ERROR: Ulfius - Error executing curl command: Couldn't connect to server
Error in http request: 5
Press <enter> to run auth tests error authentication

2018-12-06T21:40:12 - auth_client ERROR: Ulfius - Error executing curl command: Couldn't connect to server
Error in http request: 5
Press <enter> to run auth tests 404

2018-12-06T21:40:16 - auth_client ERROR: Ulfius - Error executing curl command: Couldn't connect to server
Error in http request: 5
Press <enter> to run default auth tests success authentication

2018-12-06T21:40:17 - auth_client ERROR: Ulfius - Error executing curl command: Couldn't connect to server
Error in http request: 5
Press <enter> to run default auth tests error authentication

2018-12-06T21:40:17 - auth_client ERROR: Ulfius - Error executing curl command: Couldn't connect to server
Error in http request: 5

And content of ulfius/inlude/ulfius-cfg.h

#ifndef _ULFIUS_CFG_H_
#define _ULFIUS_CFG_H_

#define ULFIUS_VERSION 2.5.0
/* #undef U_DISABLE_JANSSON */
/* #undef U_DISABLE_CURL */
#define U_DISABLE_WEBSOCKET
/* #undef U_DISABLE_YDER */
/* #undef U_WITH_FREERTOS */
/* #undef U_WITH_LWIP */

#endif /* _ULFIUS_CFG_H_ */

[babelouest]

OK so there was a problem when you built ulfius because the config file says websocket is disabled, so client cert auth is disabled too.

I've updated the src/Makefile to display the options on build. Can you git pullthe last source on the client-cert-auth branch, then rebuild ulfius library and send me the output:

$ cd ulfius/src
$ make clean release

The correct build output should looke like this:

Config file ../include/ulfius-cfg.h generated
JANSSON SUPPORT    ENABLED
CURL SUPPORT       ENABLED
WEBSOCKET SUPPORT  ENABLED
YDER SUPPORT       ENABLED
FREERTOS SUPPORT   DISABLED
LWIP SUPPORT       DISABLED
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  ulfius.c
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  u_map.c
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  u_request.c
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  u_response.c
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  u_send_request.c
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  u_websocket.c
gcc -c -pedantic -std=gnu99 -fPIC -Wall -D_REENTRANT -I../include -O3  yuarel.c
gcc -shared -fPIC -Wl,-soname,libulfius.so -o libulfius.so.2.5.0 ulfius.o u_map.o u_request.o u_response.o u_send_request.o u_websocket.o yuarel.o -L/usr/local/lib -lc -lmicrohttpd -lorcania -lpthread  -lyder -ljansson -lcurl -lgnutls
ln -sf libulfius.so.2.5.0 libulfius.so

[babelouest]

Also, check your version of libmicrohttpd, you must have at least 0.9.53 to enable websocket support.

[babelouest]

@akhileshsarda , I've merged the branch client-cert-auth into the master branch. Have you succeeded on your tests so I can release Ulfius 2.5?

[akhileshsarda]

This is the ouput of dpkg (to see version of installed library). Is this okay?

akhilesh@akhilesh:~/akhilesh/ulfius/example_programs/auth_example$ sudo dpkg -l | grep microhttpd
ii  libmicrohttpd-dev                          0.9.59-1                            amd64        library embedding HTTP server functionality (development)
ii  libmicrohttpd12                            0.9.59-1                            amd64        library embedding HTTP server functionality

I have pulled git repo. after you have merged the branch.(then cleaned and built as mentioned before) I'm still facing same issue. May be i messed up something, i will try cleaning all stuff and rebuilding.

[babelouest]

Thanks, if you find out what was wrong, can you let me know? Maybe soething's not clear in the documentation.

[akhileshsarda]

I don't know what was that; while doing make clean release i saw /bin/sh: 1: pkg-config: not found and web socket also disabled.
So, I tried it on another setup (where everything is clean) and it worked.
client side output is:

akhilesh@akhilesh:~/akhilesh/ulfius/example_programs/auth_example$ ./auth_client client.crt client.key password
2018-12-10T10:36:27 - auth_client INFO: logs start
Press <enter> to run client certificate authentication test

status is
200

string body is 
 client dn: 'C=IN,ST=Telanagana,L=Hyderabad,O=REST,OU=restClient,CN=localhost,EMAIL=akhilesh7sarda@gmail.com', ussued by: 'C=IN,ST=Telanagana,L=Hyderabad,O=REST,OU=restCA,CN=localhost,EMAIL=akhilesh7sarda@gmail.com'

Thanks a lot for such quick responses.

[akhileshsarda]

And that too resolved by installing pkg-config.

[babelouest]

And that solves the problem :)

pkg-config is used in the Makefile to check libmicrohttpd version. If libmicrohttpd version is lower than 0.9.53 (or in your case, if pkg-config isn't installed), Ulfius' Makefile disables websocket support, therefore client certificate authentication.

Fixed in the documentation: 93541a8

Thanks for the help @akhileshsarda !