0 Replies Latest reply on Jun 8, 2017 4:25 AM by Sabir Valappil Thattath

    TLS Mutual Authentication With EB on Android

    Sabir Valappil Thattath

       

      I recently came across validating Enterprise Browser for TLS mutual authentication on Zebra Android devices. Here I would like to share my experience about setting up the server and device for establishing a secured connection with self-signed certificates where client validates the server certificate and server validates the client certificate during the TLS handshake procedure.

       

      How TLS Server validation done at Client!

       

      During TLS handshake, server presents its certificate to the browser and browser validates the certificate against the certificate present inside the trusted certificate store on the device. It means server certificate should be installed on the device before trying to access the server url on the Enterprise Browser. Otherwise Enterprise Browser will not trust the certificate presented by the server and will redirect user to the badlink page with description as SSL_ERROR.

       

      As part of TLS handshaking, once Enterprise Browser validates the certificate, it then creates a pre-master secret and will be encrypted using the public key present in the server certificate and will be sent to the server. This pre-master key can be only decrypted by using the private-key used for generating server certificate. Well this will be only knowing to server.

       

      It means user should first create a private key file and then create a server certificate using the private-key file followed by configuring server for accessing these files. (certificate file will be used for presenting the certificate and the key file will be used for decrypting the pre-master key by the server).

       

      Similarly, device should be installed with server certificate for validating the server-certificate by Enterprise Browser whenever server presents its certificate on accessing the https url.

      On successful decryption of pre-master key, server will generate the master-key (session key) from the premaster and similarly Enterprise Browser will also generate the master-key from the pre-master and this symmetric key will be used for encrypting and decrypting the application data at both ends (client and server) throughout the session. This enables the secured communication between server and the client.

       

      Configuring XAMPP server for HTTPS using OPENSSL?

       

      I was using XAMPP server for hosting my test pages. Also, I preferred OPENSSL tool for generating self-signed certificates (openssl tools is packaged within XAMPP installer, so no need to install it separately). All my experiment was done on Windows 7 64-bit machine.

       

      Generating Server certificate?

       

      On command prompt, I did following instructions to generate server certificates.

       

      Go to openssl.exe directory inside xampp and set the configuration file path as below

       

       

          cd C:\xampp\apache\bin

         set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

       

          generate private key file for the server certificate as below

          openssl genrsa -out server.key 2048

       

          use the private key file to generate the x509 certificate for the server

          openssl req -new -x509 -nodes -sha1 -days 1095 -key server.key -out server.crt

       

      This will ask you few details that will go to the certificate. Don’t forget to set the Common Name as your fully qualified domain name. If you don’t have a domain name, set your server ip as your common name. Client will be validating the common name present inside the server certificate against the domain name in the url during TLS handshaking procedure.

      This completes the process of generating private-key file and certificate file for the server side.

       

      Setting up the device for accepting server certificate?

       

      Take a copy of server.crt from C:\xampp\apache\bin and place into device sdcard and install it on to the device as given below.

       

      Goto Settings->Security->Install from SD card

       

      Browse to sdcard and click on server.crt and provide some alias for the certificate for distinguishing easily for maintenance purpose.

       

      This process ensures that the device has the knowledge of the server certificate for a domain.

       

      Setting up XAMPP for presenting server certificate for client?

       

      Let us now configure the server for certificate and private-key files.

       

      • Copy server.crt file and place under C:\xampp\apache\conf\ssl.crt

       

      • Copy server.key file and place under C:\xampp\apache\conf\ssl.key

       

      • Open httpd-ssl.conf file of XAMPP server and search for string SSLCertificateFile and ensure path to certificate is given as conf/ssl.crt/server.crt

       

      • Search for string SSLCertificateKeyFile and ensure path to private-key file is set to conf/ssl.key/server.key.

       

      One should modify SSLCertificateFile and SSLCertificateKeyFile with the proper path to the certificate and key files.

       

      This completes the set up for typical https website where only server certificate validation is done by the client.

       

      You can do a test by running XAMPP server and trying to connect to a page hosted on the server using https scheme. I always try stock browser first to ensure the setup is proper.

       

      How About Client validation at Server Side?

       

      TLS support mutual authentication and it allows server to ensure that the client is authorized to share the application data. During TLS handshaking, server ask for a client certificate (if configured for asking). When the request is received from the server, client present its certificate to the server along with that it also sends a packet with all TLS handshaking transactions that involved till the CertificateRequest which will be encrypted with the client-private key file.

       

      After validating the client certificate at the server side, it decrypts the encrypted packet with the public key present inside the client-certificate and ensure the transactions listed by client is valid as per server transaction history and it proceeds further else connection will be closed by the server.

       

      It means, client should know the client certificate to be presented on server-request and it should also know the private-key file to encrypt the data send during CertificateVerify request.

      Similarly, server should know the client certificate file for validating the client and to decrypt the packet sent by the client during CertificateVerify request.

       

      Generating Client Certificate?

       

      On command prompt, I did following instructions to generate server certificates.

       

      Go to openssl.exe directory inside xampp and set the configuration file path as below

       

         cd C:\xampp\apache\bin

         set OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

       

         generate private key file for the client certificate as below

          openssl genrsa -out client.key 2048

       

            use the private key file to generate the x509 certificate for the client

            openssl req -new -x509 -nodes -sha1 -days 1095 -key client.key -out client.crt

       

      This will ask you few details that will go to the certificate. Don’t forget to set the Common Name as your fully qualified domain name. If you don’t have a domain name, set your server ip as your common name.

       

      As I mentioned earlier client should know both private-key file and certificate file. Hence both should be available inside trusted store of the device. Android accepts client certificate in the form of pfx. PFX format is a binary format for storing the server certificate and the private key into a single encryptable file.

       

      Let us merge the privte-key file data and certificate into a pfx file with the following command

       

         openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt

       

      This will prompt for a password and remember password and it is needed for installing the pfx file on to the device. This completes the process of generating private-key file and certificate file for the server side.

       

      Setting up the device for handling CertificateRequest from the server?

       

      Take a copy of client.pfx from C:\xampp\apache\bin and place into device sdcard and install it on to the device as given below.

       

      Goto Settings->Security->Install from SD card

      Browse to sdcard and click on client.pfx and provide some alias for the certificate for distinguishing easily for maintenance purpose. It will prompt for a password and enter the password that you chose for creating client.pfx file.

       

      This process ensures that the device has the knowledge of the client certificate and it private-key file for a domain.

       

      Setting up XAMPP for validating client certificate?

       

      Firstly, one should set up xampp server for requesting client certificate. This can be done by enabling  SSLVerifyClient require under httpd-ssl.conf file of xampp server.

       

      Secondly, configure the certificate path as below

       

      • Copy client.crt file and place under C:\xampp\apache\conf\ssl.crt

       

      • Open httpd-ssl.conf file and search for string SSLCACertificateFile and ensure that path to client certificate is set as SSLCACertificateFile "conf/ssl.crt/client.crt".

       

      This completes the process of configuring server to make a request for client certificate and to provide a copy of client certificate for validating client-certificate presented by the browser

      You can do a test by running XAMPP server and trying to connect to a page hosted on the server using https scheme. I always try stock browser first to ensure the setup is proper.

       

      Browser can remember the client certificate only during the life time of the application instance on both stock browser and EnterpriseBrowser. This can be avoided on Enterprise Browser with a configuration parameter that will be added in future release.

       

      Conclusion

       

      Android started supporting ClientCertificate request handler from Lollipop onwards. EB will officially support this feature from Enterprise Browser version 1.7 onwards. However already few customers are using Enterprise Browser version 1.6 with a patch on it.