wolfSSH With X.509 Support

wolfSSH can make use of X.509 certificates when verifying the peer! Both on the client side and on the server side. The implementation follows RFC 6187 and adds x509v3-ecdsa-sha2-* and x509v3-ssh-rsa to the key exchange algorithms. Instead of the public key, the whole certificate is passed along during authentication and then verified by the peer using a CA or an authorized key file. Having the option to verify the client’s certificate using a CA allows for any clients with a valid, signed certificate, to connect without needing to update an authorized key file. This includes the support for verifying certificate chains!

To build wolfSSH with X.509 support the enable option (–enable-certs) can be used. For example “./configure –enable-certs”. One thing to note is that wolfSSH also has FPKI support. If the wolfSSL being linked to has been built with FPKI support (happens with –enable-all) then the macro WOLFSSH_NO_FPKI can be used to turn off the FPKI certificate checks in wolfSSH. (–enable-certs CPPFLAGS=”-DWOLFSSH_NO_FPKI”). The example echoserver has some X.509 support but if wanting to leverage X.509 verification in multiple parts of the SSH handshake then the wolfSSHd application should be used on the server side, enabled with (–enable-sshd) or the wolfSSH library API themselves in your own application.

This is an example of what X509 certificate use looks like with wolfSSH!

Configure wolfSSH library:

./configure --enable-sshd --enable-certs CPPFLAGS=-DWOLFSSH_NO_FPKI && make 

Create sshd config file that reads in certificates:

cat sshd_config
Port 22222
Protocol 2
LoginGraceTime 600

TrustedUserCAKeys /path/to/wolfssh/keys/ca-cert-ecc.pem
HostKey /path/to/wolfssh/keys/server-key.pem 
HostCertificate /path/to/wolfssh/keys/server-cert.pem

Run wolfSSHd application:

./apps/wolfsshd/wolfsshd -D -f ./sshd_config

Connect to wolfSSHd using the wolfSSH client:

./examples/client/client -u fred -i ./keys/fred-key.der -J ./keys/fred-cert.der -A ./keys/ca-cert-ecc.der

Note that the wolfSSHd application will check that ‘fred’ is a valid user on the system and the client will check the IP of the host.

The example certificate has a host IP set to 127.0.0.1 :

server-cert.pem:

            X509v3 Subject Alternative Name: 
                DNS:example, IP Address:127.0.0.1

The example user certificate fred-cert.der specifies the user name “fred” in a UPN (User Principal Name) extension. This is an Other type subject alternative name which has the format <user>@<domain>. Having the user name set here in the certificate binds the certificate to the user “fred” and makes it so that it can not be used by other user names.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.