Https With Client Certificate Authentication; Https Client Filtering And Dynamic Content - Linksys SPA2102-AU Provisioning Manual

Chapter 3 Provisioning Tutorial

HTTPS With Client Certificate Authentication

In the factory default configuration, the server does not request SSL client certificates from clients. After
changing the configuration to enable client authentication, the server requires a client certificate to
authenticate the SPA before accepting a connection request.
Because of this, the resync operation in this exercise cannot be independently tested using a browser
lacking the proper credentials. Nevertheless, the SSL key exchange within the HTTPS connection
between the test SPA and the server can be observed using the ssldump utility. The utility trace shows
the interaction between client and server.
Exercise
Step 1
Enable client certificate authentication on the HTTPS server.
Step 2
In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient
Also ensure that the spacroot.cert has been stored as shown in the previous exercise.
Step 3
Restart the HTTPS server and observe the syslog trace from the SPA.
Each resync to the server now performs symmetric authentication, so that both server and client
certificates are verified before the profile is transferred.
Step 4
Using ssldump, capture a resync connection between the SPA and the HTTPS server.
If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric
exchange of certificates (first server-to-client, then client-to-server) before the encrypted packets
containing the profile.
With client authentication enabled, only a SPA with a MAC address matching a valid client certificate
can request the profile from the provisioning server. A request from an ordinary browser or other
unauthorized device is rejected by the server.

HTTPS Client Filtering and Dynamic Content

If the HTTPS server is configured to require client certificates, the information in each certificate
identifies the resyncing SPA and supplies it with the correct configuration information.
The HTTPS server makes the certificate information available to CGI scripts (or compiled CGI
programs) invoked as part of the resync request. For the purpose of illustration, this exercise uses the
open source Perl scripting language, and assumes that Apache (v.2) is used as the HTTPS server.
Exercise
Step 1
Install Perl on the host running the HTTPS server.
Step 2
Generate the following Perl reflector script:
#!/usr/bin/perl -wT
use strict;
print "Content-Type: text/plain\n\n";
print "<flat-profile><GPP_D>";
Version 3.0
require
Secure Resync
Linksys SPA Provisioning Guide
3-9