Home Explore Help
Sign In
n4u
/
ranch
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: df60180e26
Branches Tags
ranch
/
doc
/
src
/
guide
/
ssl_auth.asciidoc

ssl_auth.asciidoc 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 
  1. == SSL client authentication
    2. 

  2. 

  3. === Purpose
    4. 

  4. 

  5. SSL client authentication is a mechanism allowing applications to
    6. 

  6. identify certificates. This allows your application to make sure that
    7. 

  7. the client is an authorized certificate, but makes no claim about
    8. 

  8. whether the user can be trusted. This can be combined with a password
    9. 

  9. based authentication to attain greater security.
    10. 

  10. 

  11. The server only needs to retain the certificate serial number and
    12. 

  12. the certificate issuer to authenticate the certificate. Together,
    13. 

  13. they can be used to uniquely identify a certicate.
    14. 

  14. 

  15. As Ranch allows the same protocol code to be used for both SSL and
    16. 

  16. non-SSL transports, you need to make sure you are in an SSL context
    17. 

  17. before attempting to perform an SSL client authentication. This
    18. 

  18. can be done by checking the return value of `Transport:name/0`.
    19. 

  19. 

  20. === Obtaining client certificates
    21. 

  21. 

  22. You can obtain client certificates from various sources. You can
    23. 

  23. generate them yourself, or you can use a service like CAcert.org
    24. 

  24. which allows you to generate client and server certificates for
    25. 

  25. free.
    26. 

  26. 

  27. Following are the steps you need to take to create a CAcert.org
    28. 

  28. account, generate a certificate and install it in your favorite
    29. 

  29. browser.
    30. 

  30. 

  31. * Open http://cacert.org in your favorite browser
    32. 

  32. * Root Certificate link: install both certificates
    33. 

  33. * Join (Register an account)
    34. 

  34. * Verify your account (check your email inbox!)
    35. 

  35. * Log in
    36. 

  36. * Client Certificates: New
    37. 

  37. * Follow instructions to create the certificate
    38. 

  38. * Install the certificate in your browser
    39. 

  39. 

  40. You can optionally save the certificate for later use, for example
    41. 

  41. to extract the `IssuerID` information as will be detailed later on.
    42. 

  42. 

  43. === Transport configuration
    44. 

  44. 

  45. The SSL transport does not request a client certificate by default.
    46. 

  46. You need to specify the `{verify, verify_peer}` option when starting
    47. 

  47. the listener to enable this behavior.
    48. 

  48. 

  49. .Configure a listener for SSL authentication
    50. 

  50. 

  51. [source,erlang]
    52. 

  52. {ok, _} = ranch:start_listener(my_ssl,
    53. 

  53. 	ranch_ssl, [
    54. 

  54. 		{port, SSLPort},
    55. 

  55. 		{certfile, PathToCertfile},
    56. 

  56. 		{cacertfile, PathToCACertfile},
    57. 

  57. 		{verify, verify_peer}
    58. 

  58. 	],
    59. 

  59. 	my_protocol, []
    60. 

  60. ).
    61. 

  61. 

  62. In this example we set the required `port` and `certfile`, but also
    63. 

  63. the `cacertfile` containing the CACert.org root certificate, and
    64. 

  64. the option to request the client certificate.
    65. 

  65. 

  66. If you enable the `{verify, verify_peer}` option and the client does
    67. 

  67. not have a client certificate configured for your domain, then no
    68. 

  68. certificate will be sent. This allows you to use SSL for more than
    69. 

  69. just authenticated clients.
    70. 

  70. 

  71. === Authentication
    72. 

  72. 

  73. To authenticate users, you must first save the certificate information
    74. 

  74. required. If you have your users' certificate files, you can simply
    75. 

  75. load the certificate and retrieve the information directly.
    76. 

  76. 

  77. .Retrieve the issuer ID from a certificate
    78. 

  78. 

  79. [source,erlang]
    80. 

  80. ----
    81. 

  81. certfile_to_issuer_id(Filename) ->
    82. 

  82. 	{ok, Data} = file:read_file(Filename),
    83. 

  83. 	[{'Certificate', Cert, not_encrypted}] = public_key:pem_decode(Data),
    84. 

  84. 	{ok, IssuerID} = public_key:pkix_issuer_id(Cert, self),
    85. 

  85. 	IssuerID.
    86. 

  86. ----
    87. 

  87. 

  88. The `IssuerID` variable contains both the certificate serial number
    89. 

  89. and the certificate issuer stored in a tuple, so this value alone can
    90. 

  90. be used to uniquely identify the user certificate. You can save this
    91. 

  91. value in a database, a configuration file or any other place where an
    92. 

  92. Erlang term can be stored and retrieved.
    93. 

  93. 

  94. To retrieve the `IssuerID` from a running connection, you need to first
    95. 

  95. retrieve the client certificate and then extract this information from
    96. 

  96. it. Ranch does not provide a function to retrieve the client certificate.
    97. 

  97. Instead you can use the `ssl:peercert/1` function. Once you have the
    98. 

  98. certificate, you can again use the `public_key:pkix_issuer_id/2` to
    99. 

  99. extract the `IssuerID` value.
    100. 

  100. 

  101. The following function returns the `IssuerID` or `false` if no client
    102. 

  102. certificate was found. This snippet is intended to be used from your
    103. 

  103. protocol code.
    104. 

  104. 

  105. .Retrieve the issuer ID from the certificate for the current connection
    106. 

  106. 

  107. [source,erlang]
    108. 

  108. ----
    109. 

  109. socket_to_issuer_id(Socket) ->
    110. 

  110. 	case ssl:peercert(Socket) of
    111. 

  111. 		{error, no_peercert} ->
    112. 

  112. 			false;
    113. 

  113. 		{ok, Cert} ->
    114. 

  114. 			{ok, IssuerID} = public_key:pkix_issuer_id(Cert, self),
    115. 

  115. 			IssuerID
    116. 

  116. 	end.
    117. 

  117. ----
    118. 

  118. 

  119. You then only need to match the `IssuerID` value to authenticate the
    120. 

  120. user.
    121.