TLS Mutual Authentication With Enterprise Browser (Explained with Test Setup)
I recently came across validating Enterprise Browser for TLS mutual authentication on Zebra Android devices. Here I would like to share my experience about setting up the server and the device for establishing a secured connection (with self-signed certificates) where client validates the server certificate and server validates the client certificate during the TLS handshaking procedure.
How TLS Server validation done at Client?
During TLS handshake, server presents its certificate to the browser and browser validates that certificate against the internal certificate present inside the trusted certificate store of the device. It means server certificate should be installed on the device before trying to access the server url on the Enterprise Browser. Otherwise Enterprise Browser will not trust the certificate presented by the server and will redirect user to a badlink page with description as SSL_ERROR.
As part of TLS handshaking, once Enterprise Browser validates the certificate, it then creates a pre-master secret encrypted with the public key present in the server certificate and sends to the server. This pre-master key can be only decrypted by using the private-key which was used for generating the server certificate. Well this private-key will be only knowing to the server.
It means user should first create a private key file and then create a server certificate using the private-key file followed by configuring server for accessing these files. (certificate file will be used for presenting the certificate for client and the key file will be used for decrypting the pre-master key encrypted by the client).
Similarly, device should be installed with server certificate for validating the server by Enterprise Browser whenever server presents its certificate to client on accessing its https url.
On successful decryption of pre-master key, server will generate the master-key (session key) from the premaster and similarly Enterprise Browser will also generate the master-key from the pre-master and this symmetric key will be used for encrypting and decrypting the application data at both ends (client and server) throughout the session. This enables the secured communication between server and the client.
Configuring XAMPP server for HTTPS using OPENSSL?
I was using XAMPP server for hosting my test pages. Also, I preferred OPENSSL tool for generating self-signed certificates (openssl tools is packaged within XAMPP installer, so no need to install it separately). All my experiment was done on Windows 7 64-bit machine.
Generating Server certificate?
On command prompt, I did following instructions to generate server certificates.
Go to openssl.exe directory inside xampp and set the configuration file path as below
cd C:\xampp\apache\bin
set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf
generate private key file for the server certificate as below
openssl genrsa -out server.key 2048
use the private key file to generate the x509 certificate for the server
openssl req -new -x509 -nodes -sha1 -days 1095 -key server.key -out server.crt
This will ask you few details that will go to the certificate. Don’t forget to set the Common Name as your fully qualified domain name. If you don’t have a domain name, set your server ip as your common name. Client will be validating the common name present inside the server certificate against the domain name in the url during TLS handshaking procedure.
This completes the process of generating private-key file and certificate file for the server side.
Setting up the device for accepting server certificate?
Take a copy of server.crt from C:\xampp\apache\bin and place into device sdcard and install it on to the device as given below.
Goto Settings->Security->Install from SD card
Browse to sdcard and click on server.crt and provide some alias for the certificate for distinguishing easily for maintenance purpose.
This process ensures that the device has the knowledge of the server certificate for a domain.
Setting up XAMPP for presenting server certificate for client?
Let us now configure the server for certificate and private-key files.
- Copy server.crt file and place under C:\xampp\apache\conf\ssl.crt
- Copy server.key file and place under C:\xampp\apache\conf\ssl.key
- Open httpd-ssl.conf file of XAMPP server and search for string SSLCertificateFile and ensure path to certificate is given as conf/ssl.crt/server.crt
- Search for string SSLCertificateKeyFile and ensure path to private-key file is set to conf/ssl.key/server.key.
One should modify SSLCertificateFile and SSLCertificateKeyFile with the proper path to the certificate and key files.
This completes the set up for typical https website where only server certificate validation is done by the client.
You can do a test by running XAMPP server and trying to connect to a page hosted on the server using https scheme. One can also try stock browser to ensure the setup is proper.
How About Client validation at Server Side?
TLS support mutual authentication and it allows server to ensure that the client is authorized to access the application data. During TLS handshaking, server ask for a client certificate (if configured for asking). When the request is received from the server, client present its certificate to the server along with that it also sends a packet that includes all TLS handshaking transactions that involved till the CertificateRequest encrypted with the client-private key file and ask server to do a CertificateVerify by decrypting the encrypted packet. This packet can be only decrypted using the public-key present inside the client-certificate that is known to the server.
After validating the client certificate at the server side, it decrypts the encrypted packet with the public key present inside the client-certificate and ensure the transactions listed by client is valid as per server transaction history and it proceeds further; else connection will be closed by the server.
It means, client should know the client certificate to be presented on a CertificateRequest from the server and it should also know the private-key file to encrypt the data send during CertificateVerify request.
Similarly, server should know the client certificate file for validating the client and also to decrypt the packet sent by the client during CertificateVerify request.
Generating Client Certificate?
On command prompt, I did following instructions to generate server certificates.
Go to openssl.exe directory inside xampp and set the configuration file path as below
cd C:\xampp\apache\bin
set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf
generate private key file for the client certificate as below
openssl genrsa -out client.key 2048
use the private key file to generate the x509 certificate for the client
openssl req -new -x509 -nodes -sha1 -days 1095 -key client.key -out client.crt
This will ask you few details that will go to the certificate. Don’t forget to set the Common Name as your fully qualified domain name. If you don’t have a domain name, set your server ip as your common name.
As I mentioned earlier client should know both private-key file and certificate file. Hence both should be available inside trusted store of the device. Android accepts client certificate in the form of pfx. PFX format is a binary format for storing the server certificate and the private key into a single encryptable file.
Let us merge the privte-key file data and certificate into a pfx file with the following command
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt
This will prompt for a password and remember password and it is needed for installing the pfx file on to the device. This completes the process of generating private-key file and certificate file for the server side.
Setting up the device for handling CertificateRequest from the server?
Take a copy of client.pfx from C:\xampp\apache\bin and place into device sdcard and install it on to the device as given below.
Goto Settings->Security->Install from SD card
Browse to sdcard and click on client.pfx and provide some alias for the certificate for distinguishing easily for maintenance purpose. It will prompt for a password and enter the password that you chose for creating client.pfx file.
This process ensures that the device has the knowledge of the client certificate and it private-key file for a domain.
Setting up XAMPP for validating client certificate?
Firstly, one should set up xampp server for requesting client certificate. This can be done by enabling SSLVerifyClient require under httpd-ssl.conf file of xampp server.
Secondly, configure the certificate path as below
- Copy client.crt file and place under C:\xampp\apache\conf\ssl.crt
- Open httpd-ssl.conf file and search for string SSLCACertificateFile and ensure that path to client certificate is set as SSLCACertificateFile "conf/ssl.crt/client.crt".
This completes the process of configuring server to make a request for client certificate and to provide a copy of client certificate for validating client when client present its certificate.
You can do a test by running XAMPP server and trying to connect to a page hosted on the server using https scheme. One can also try stock browser to ensure the setup is proper.
On Android, browser can remember the client certificate only during the life time of the application instance on both stock browser and Enterprise Browser. This can be avoided on Enterprise Browser with a configuration parameter that will be added in future release. Enterprise Browser is fully configurable unlike Stock for industrial need.
Conclusion
Android started supporting ClientCertificate request handler from Lollipop onward. Enterprise Browser will officially support this feature from Enterprise Browser version 1.7 onward. However already few customers are using Enterprise Browser version 1.6 with a patch on it.
Sabir Valappil Thattath