cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Add optional flags to pass client cert for step certificate inspect

Open sourishkrout opened this issue 7 years ago • 3 comments

Subject of the issue

When debugging mTLS'd environments it's handy to be able to inspect a server's cert remotely granted one is possession of a valid cert to pass client auth on the server.

Expected behaviour

Optional flags for subcommand to provide cert, e.g. step certificate inspect --roots federated.pem --cert client.crt --key client.key https://127.0.0.1:443

Actual behaviour

Fails because the server rejects client requests without/invalid certs.

sourishkrout avatar Jan 17 '19 21:01 sourishkrout

@sourishkrout - I was looking at this and it seems that the client certificate is not required to inspect the peer certificate. The server certificate is sent to the client as part of the ServerHello in the TLS handshake so it's available for inspection irrespective of the client behavior. If the server requires a client certificate, it will fail the TLS handshake, but that's after the certificate exchange.

I'm curious if you've seen different behavior?

Here's the test that I did while researching this issue:

Go server requiring mTLS:

package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
	"net/http/httptest"
)

func main() {
	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintln(w, "Hello, client")
	}))
	defer ts.Close()

	ts.TLS = &tls.Config{
		ClientAuth: tls.RequireAnyClientCert,
	}

	ts.StartTLS()
	fmt.Println("Listening on: ", ts.URL)
	select {}
}

Start the server:

❯ go run testserver.go
Listening on:  https://127.0.0.1:54371

Run step to inspect the certificate:

❯ step certificate inspect https://127.0.0.1:54371 -insecure -short
X.509v3 Root CA Certificate (RSA 1024) [Serial: 6448...4187]
  Subject:     example.com
               127.0.0.1
               ::1
  Issuer:
  Valid from:  1970-01-01T00:00:00Z
          to:  2084-01-29T16:00:00Z

Note that the server logged an error message because the client didn't provide a certificate:

2020/12/08 09:42:09 http: TLS handshake error from 127.0.0.1:54380: tls: client didn't provide a certificate

However, the peer certificate inspection still completed.

Are there perhaps other use cases or different behaviors that you've observed with other TLS servers?

davidnarayan avatar Dec 08 '20 14:12 davidnarayan