Archived Forum Post

Index of archived forum posts

Question:

Implementing the Server-Side for SSL/TLS Client Certificates (2-way SSL)

Aug 17 '16 at 09:04

I am putting together an SSL Socket connection - using Chilkat Socket component both at the client and the server.

Things seem to be working well - in terms of server receiving messages from the client over SSL (with both client and server using certificates).

Need two things: (1) How do I confirm that the client SSL Authentication is actually taking place? Is there anything at the server end (chilkat socket) that can be used to drop connection if the client authentication fails?

(2) At the client end I am using SetSslClientCert. AT the server end I am using GetReceivedClientCert.

But I can't get the client's certificate at the server end.

Chilkat help talks about "Client certificates are customarily only sent when the server demands client-side authentication, as in 2-way SSL/TLS.". So, with my Chilkat SSL socket server, how do I demand client-side authentication?


Answer

To require a client-side certificate, call listenSocket.AddSslAcceptableClientCaDn (on the listen socket) prior to calling listenSocket.InitSslServer.

This will set the list of acceptable certificate authority DN's for client certs (a client cert would need to have a chain of authentication that ends in a root cert that is one of the listed DN's). Once you do this, and assuming the client sent the cert, then it should be available via GetReceivedClientCert.