Certificate based authentication

Use certificate based authentication with client certificates

If you already have a CA you could provide goshs with the CA certificate and this will activate certificate based authentication. Any certificate that is signed by the CA can now be used to authenticate against the server.

Info

You will need to combine this option with TLS in any form to work. So choose -s and then either:

  • -ss
  • -sk/-sc/-p12
  • -sl

See Transport Layer Security (TLS) / HTTPS for details.

Usage example

$ goshs -s -p12 server/goshs.p12 -ca ca/ca.crt 
INFO   [2024-07-04 18:01:46] Download embedded file at: /example.txt?embedded 
INFO   [2024-07-04 18:01:46] Download embedded file at: /test?embedded    
Enter password for server/goshs.p12: 
INFO   [2024-07-04 18:01:46] Using certificate auth with ca certificate: ca/ca.crt 
INFO   [2024-07-04 18:01:46] Serving on interface eth0 bound to 10.137.0.27:8000 
INFO   [2024-07-04 18:01:46] Serving on interface lo bound to 127.0.0.1:8000 
INFO   [2024-07-04 18:01:46] Serving HTTPS from /home/user with ssl enabled server key: , server cert: , server p12: server/goshs.p12 
INFO   [2024-07-04 18:01:46] You provided a certificate and might want to check the fingerprint nonetheless 
INFO   [2024-07-04 18:01:46] SHA-256 Fingerprint: 69 69 49 1A BE 4E 4D 00 37 B9 3E 6F 40 EF C8 DD 81 8F 69 18 C1 07 39 BC 3E 0F B2 43 C8 2D 7B 01  
INFO   [2024-07-04 18:01:46] SHA-1   Fingerprint: 0B 39 8E CA 16 E5 F3 EA 86 E5 7D B2 31 8F 7D C8 28 8D 42 E2

This screenshot shows the browser without providing a valid certificate.

No valid certificate No valid certificate

Importing the valid certificate into the certificate store in Chrome.

Importing the certificate Importing the certificate

Reloading the page will let you choose the valid certificate.

Valid certificate Valid certificate

And then you will have authenticated access to the goshs instance. The same goes for firefox or even for curl:

$ curl -skIL https://localhost:8000

vs

$ curl -skIL --cert-type p12 --cert curl.p12 https://localhost:8000
HTTP/2 200 
content-type: text/html; charset=utf-8
date: Thu, 7 Jul 2024 12:53:53 GMT

Example CA Setup

You can use any CA you already have and just need to provide goshs with the CA certificate. Here’s how I created the CA for this example:

patrick@mockingjay:~$ mkdir my-ca

patrick@mockingjay:~$ cd my-ca/

patrick@mockingjay:~/my-ca$ mkdir ca server client

patrick@mockingjay:~/my-ca$ cd ca/

patrick@mockingjay:~/my-ca/ca$ openssl genrsa -aes256 -out ca.key 4096
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
~/my-ca/ca$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

patrick@mockingjay:~/my-ca/ca$ cd ..

patrick@mockingjay:~/my-ca$ cd server/

patrick@mockingjay:~/my-ca/server$ openssl req -new -nodes -out goshs.csr -newkey rsa:4096 -keyout goshs.key
.......[output omitted]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

patrick@mockingjay:~/my-ca/server$ openssl x509 -req -in goshs.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out goshs.crt -days 3650 -sha256
Certificate request self-signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Enter pass phrase for ../ca/ca.key:

patrick@mockingjay:~/my-ca/server$ ll
total 12K
-rw-r--r-- 1 user user 1.8K Jul 7 15:00 goshs.crt
-rw-r--r-- 1 user user 1.7K Jul 7 14:59 goshs.csr
-rw------- 1 user user 3.2K Jul 7 14:59 goshs.key

patrick@mockingjay:~/my-ca/server$ openssl pkcs12 -export -inkey goshs.key -in goshs.crt -out goshs.p12
Enter Export Password:
Verifying - Enter Export Password:

patrick@mockingjay:~/my-ca/server$ cd ..

patrick@mockingjay:~/my-ca$ cd client/

patrick@mockingjay:~/my-ca/client$ openssl req -new -nodes -out chrome.csr -newkey rsa:4096 -keyout chrome.key
.+.......[output omitted]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

patrick@mockingjay:~/my-ca/client$ openssl x509 -req -in chrome.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out chrome.crt -days 3650 -sha256
Certificate request self-signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Enter pass phrase for ../ca/ca.key:

patrick@mockingjay:~/my-ca/client$ openssl pkcs12 -export -inkey chrome.key -in chrome.crt -out chrome.p12
Enter Export Password:
Verifying - Enter Export Password:

patrick@mockingjay:~/my-ca/client$ ll
total 20K
-rw-r--r-- 1 user user 1.8K Jul 7 15:01 chrome.crt
-rw-r--r-- 1 user user 1.7K Jul 7 15:01 chrome.csr
-rw------- 1 user user 3.2K Jul 7 15:01 chrome.key
-rw------- 1 user user 4.1K Jul 7 15:01 chrome.p12