开发者

How does startssl.com authentication work?

Startssl.com, which provides free class 1 ssl certs, uses a very unique and simple authentication s开发者_Python百科ystem. During it's login process it redirects the client to https://auth.startssl.com/ and the browser asks for their unique certificate. After that stage is finished they are redirected to their control panel without any username/password authentication.

How does startssl.com authentication work?

I wasn't even aware that HTTP(s) could do this type of authentication natively!

I've tried using curl to dissect this request but I can't get a value HTTPS request to go through.

X:~ ken$ curl https://auth.startssl.com/ --cert ./startssl-id.crt 
curl: (58) unable to set private key file: './startssl-id.crt' type PEM

Does curl support this type of HTTPS connection and if so how would it be configured on both the server and client side?


You're using a client-side certificate. In order to watch the traffic, your user agent needs to support client side certificates. If you just want to watch the network traffic, you could look using your browser's network traffic log, but that won't include the cert negotiation.

curl does support client side certificates. You use them like this:

curl --cert mycert.pem https://secure.example.com

If you really want to get into the nitty gritty of the packet negotiation, your best bet is probably to use wireshark to dissect the packets.

The docs for configuring this in Apache are here:

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol


This page has a good how to on adding client cert authentication to any web app:

https://www.scriptjunkie.us/2013/11/adding-easy-ssl-client-authentication-to-any-webapp/

as for making client certs work with curl - you'll probably need to convert the certificate from pkcs12 format to a plain private key and certificate, using openssl i've done this:

openssl pkcs12 -CApath /etc/ssl/certs -in startcom.p12 -out start.pem -info -nodes

where startcom.p12 was exported from Firefox (I don't have a mac so can't test with Safari).

and then I can:

openssl s_client -connect auth.startssl.com:443 -CApath /etc/ssl/certs/ -cert /tmp/start.pem -key /tmp/start.key -prexit -debug -msg -state -servername auth.startssl.com -tlsextdebug

which connects, and:

wget --verbose --debug --ca-directory=/etc/ssl/certs/ --certificate=/tmp/start.pem --private-key=/tmp/start.key  https://auth.startssl.com/

also works.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜