Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client certificate based authentication is not working (-cc, -ck, -ca) #3800

Closed
forgedhallpass opened this issue Jun 8, 2023 · 0 comments · Fixed by #3851
Closed

Client certificate based authentication is not working (-cc, -ck, -ca) #3800

forgedhallpass opened this issue Jun 8, 2023 · 0 comments · Fixed by #3851
Assignees
@Mzack9999
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Milestone
nuclei v2.9.7

Comments

@forgedhallpass
Copy link
Contributor

Command:

nuclei -id http-missing-security-headers -ca server.crt -cc client.crt -ck client.key -v -debug -u https://localhost:8443
...
[WRN] [http-missing-security-headers] Could not execute request for https://localhost:8443: GET https://localhost:8443 giving up after 2 attempts: Get "https://localhost:8443": remote error: tls: bad certificate

Same certificates are working with curl or the go client test below:

curl -k --cert client.crt --key client.key --cacert server.crt https://localhost:8443

Steps to reproduce

Generate the required certificates:

# Server
openssl genpkey -algorithm RSA -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -signkey server.key -in server.csr -out server.crt

# Client
openssl genpkey -algorithm RSA -out client.key
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt

Create a test server:

package main

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"net/http"
	"os"
)

func main() {
	serverCert, _ := tls.LoadX509KeyPair("server.crt", "server.key")

	certPool := x509.NewCertPool()
	caCert, _ := os.ReadFile("server.crt")
	certPool.AppendCertsFromPEM(caCert)

	server := &http.Server{
		Addr: ":8443",
		TLSConfig: &tls.Config{
			Certificates: []tls.Certificate{serverCert},
			ClientAuth:   tls.RequireAndVerifyClientCert,
			ClientCAs:    certPool,
		},
	}

	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		if len(r.TLS.PeerCertificates) == 0 {
			http.Error(w, "Client certificate required", http.StatusForbidden)
			return
		}

		fmt.Fprintf(w, "Hello, %s!\n", r.TLS.PeerCertificates[0].Subject)
	})

	server.ListenAndServeTLS("server.crt", "server.key")
}

Create a go client for testing:

package main

import (
	"fmt"
	"io"
	"os"
	"testing"
)

import (
	"crypto/tls"
	"crypto/x509"
	"log"
	"net/http"
)

func TestMTLSAuthentication(t *testing.T) {

	cert, _ := tls.LoadX509KeyPair("client.crt", "client.key")
	caCert, _ := os.ReadFile("server.crt")

	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	client := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				Certificates:       []tls.Certificate{cert},
				RootCAs:            caCertPool,
				InsecureSkipVerify: true,
			},
		},
	}

	response, err := client.Get("https://localhost:8443")
	if err != nil {
		log.Fatal(err)
	}
	defer response.Body.Close()

	responseBody, err := io.ReadAll(response.Body)
	if err != nil {
		log.Fatal(err)
	}

	fmt.Println(response.Header)
	fmt.Println(string(responseBody))
}

It would also be nice to add an integration test scenario.

Related:
@forgedhallpass forgedhallpass added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Jun 8, 2023
@forgedhallpass forgedhallpass changed the title Client certificate based authentication is not working (-cc, -ck, -cc) Client certificate based authentication is not working (-cc, -ck, -ca) Jun 8, 2023
@Mzack9999 Mzack9999 self-assigned this Jun 20, 2023
@Mzack9999 Mzack9999 mentioned this issue Jun 20, 2023
Merged
4 tasks
@Mzack9999 Mzack9999 linked a pull request Jun 20, 2023 that will close this issue
Improving clientpool with client certificates #3851
Merged
4 tasks
@forgedhallpass forgedhallpass mentioned this issue Jun 22, 2023
Closed
@ehsandeep ehsandeep added this to the nuclei v2.9.7 milestone Jun 23, 2023
@ehsandeep ehsandeep added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mzack9999 Mzack9999

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
nuclei v2.9.7
Development

Successfully merging a pull request may close this issue.

Improving clientpool with client certificates projectdiscovery/nuclei
3 participants
@ehsandeep @Mzack9999 @forgedhallpass