SSL with Let's Encrypt server certificates, no client authentication

jmygtjmygt Member Jose ValletOrganization: Finnish Geospatial Research InstituteProject: Localization framework that respects users privacy

Hi.

We are trying to configure a multi-client-server setup to communicate using SSL without client authentication. If I understand this paradigm correctly from here, this means that we only need a certificate for the server, which is the one to be authenticated. Then, when the client needs to authenticate the server upon starting the connection, the server sends its certificate to the client, which shall then be validated by the client. Am I correct so far?

If so, at this point I have a question. Reading from several posts in the forum, I somehow understand that, even when the client is not to be authenticated by the server (for which the server is to be configured with e.g. "IceSSL.VerifyPeer=1"), the client still needs to be provided a file with the server's public key (using the IceSSL.CertAuthFile property). My question is: why does the client need this certificate? Isn't the server sending it?

What we are ultimately trying is to set up our server to use Let's Encrypt certificates, which are automatically renewed every 90 days, and the clients to seamlessly adapt to the server certificate renewals. Our client applications are mobile devices, and we cannot update their configuration once the app has been deployed.

So, can somebody please explain:
1 - Why the clients need the server's public certificate? Can you point to some documentation somewhere?
2 - How to configure the client and server to use Let's Encrypt certificates? Can somebody please give a concrete configuration example?

BR,
José

Tagged:

Answers

  • benoitbenoit Rennes, FranceAdministrators, ZeroC Staff Benoit FoucherOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    edited August 2018

    Hi José,

    Yes, the client needs to authenticate the server and it needs some information to do this. It doesn't need the server public key for this however. Just like web browsers, it can authenticate the server using the certification authority root or intermediate certificates. You'll find Let's Encrypt certificates here: https://letsencrypt.org/certificates/

    You can also try this with our demos. For example, you could modify the hello demo configuration to configure the server with the additional property IceSSL.VerifyPeer=1 and disable the IceSSL.CertFile, IceSSL.Password, IceSSL.Keychain, IceSSL.KeychainPassword properties. The client SSL configuration will only contain the IceSSL.CAs property which points to the certificate authority certificate of the CA used to issue the server certificate.

    For your clients, given that they use Let's Encrypt, you might even not have to configure the CA certificate but instead rely on the system trusted root certificates. So instead of setting IceSSL.CAs to the Let's Encrypt certificates, you could just set IceSSL.UsePlatformCAs=1. This is the best option for mobile applications since you won't have to ship any certificates but instead rely on the ones provided by the operating system.

    Cheers,
    Benoit.

Sign In or Register to comment.