POC for mutual authentication for client (wget command) and server (apache server ssl)
1. Install apache web server in ubuntu
sudo apt-get update
sudo apt-get install apache2
2. Activate the ssl module in apache
sudo a2enmod ssl
3. restart apache server
sudo service apache2 restart
4. Create a Self-Signed SSL Certificate for apache web "server" and store it in below location.
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
5. Create a Self-Signed SSL certificate for client
cd /etc/apache2/client_certs
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
6. Configure Apache to Use SSL
sudo vi /etc/apache2/sites-available/default-ssl.conf
******************************************************************
changes to be made in the above file file
******************************************************************
###################
Server details
###################
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
####################################################
Server's certificate and private key is stored here
####################################################
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
####################################################
Server's trusted store where client certificates
are stored
####################################################
SSLCACertificatePath /etc/apache2/client_certs
SSLCACertificateFile /etc/apache2/client_certs/mycert.pem
####################################################
Enable client authentication here
####################################################
SSLVerifyClient require
6. Activate the SSL Virtual Host
sudo a2ensite default-ssl.conf
7. Restart apache server
sudo service apache2 restart
Now comes the actual testing command:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Command:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
wget --https-only -d --certificate=/etc/apache2/client_certs/mycert.pem --ca-certificate=/etc/apache2/ssl/apache.crt https://192.168.1.10
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Output:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Setting --certificate (certificate) to /etc/apache2/client_certs/mycert.pem
Setting --ca-certificate (cacertificate) to /etc/apache2/ssl/apache.crt
DEBUG output created by Wget 1.15 on linux-gnu.
URI encoding = ‘UTF-8’
--2017-12-15 20:45:58-- https://192.168.1.10/
Connecting to 192.168.1.10:443... connected.
Created socket 3.
Releasing 0x0000000001089fa0 (new refcount 0).
Deleting unused 0x0000000001089fa0.
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000000000108ae30
certificate:
subject: /C=IN/ST=tn/L=ch/O=i am server/OU=i am server/CN=192.168.1.10/emailAddress=neel@aricent.com
issuer: /C=IN/ST=tn/L=ch/O=i am server/OU=i am server/CN=192.168.1.10/emailAddress=neel@aricent.com
X509 certificate successfully verified and matches host 192.168.1.10
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.15 (linux-gnu)
Accept: */*
Host: 192.168.1.10
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2017 15:15:58 GMT
Server: Apache/2.4.10 (Ubuntu)
Last-Modified: Thu, 14 Dec 2017 16:04:16 GMT
ETag: "2c39-5604f092ce1c4"
Accept-Ranges: bytes
Content-Length: 11321
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.17’
100%[======================================================================================================================================================>] 11,321 --.-K/s in 0s
2017-12-15 20:45:58 (143 MB/s) - ‘index.html.17’ saved [11321/11321]