Verify Incoming SSL Using OpenSSL S_Server

opensslsslssl-certificate

We are wanting to use two way certificate authentication using open ssl.

When we open s_server as follows, the client is able to connect to my server:

openssl s_server -accept 12345 -cert our-cert.pem

(our-cert.pem is our certificate.)

This works fine. However, my requirements are:

  1. Verify that the incoming certificate is valid with a trusted CA, and
  2. Verify the common name is what we expect it to be.

I have tried this:

openssl s_server -accept 12345 -cert our-cert.pem -CApath /etc/ssl/certs/

This allows the client to connect. But my questions are:

  1. How can I be sure that it is validating the incomming SSL is valid and issued by a CA?
  2. How can I validate the Common Name is what I expect?

Best Answer

For the server, you need to add the "-Verify " option to force the client to provide a certificate. The depth is the maximum length of the client certificate chain.

That should take care of question #1.

For #2, I'm not sure there is a way to restrict by Common Name using these OpenSSL commands.

You can see the OpenSSL documentation for the server/client commands here:

s_server

s_client