Patches gpg-agent + scute for ssl/tls auth using opengpg card with 2048 rsa key

Damien Goutte-Gattat dgouttegattat at incenp.org
Sat Sep 13 21:35:55 CEST 2014


On 09/13/2014 03:33 PM, Oliver Winker wrote:
> For the debug env, it's basically an apache ssl/tls setup with client auth.

Same here, but I also performed some tests with the tools provided with
GnuTLS and OpenSSL, which comes in handy if you don't have a running web
server around.

For example, with GnuTLS:

$ gnutls-serv --http --port=8000 \
  --x509certfile=server-cert.pem --x509keyfile=server-key.pem \
  --require-client-cert --x509cafile=client-ca-cert.pem

And with OpenSSL:

$ openssl s_server -HTTP -accept 8000 \
  --cert server-cert.pem --key server-key.pem \
  --Verify 1 -CAfile client-ca-cert.pem

Both commands start a web server that will listen on localhost port 8000
and will expect a client to present a certificate signed by
`client-ca-cert.pem'.

Yet another option is to use Thunderbird: configure it to use Scute as a
Security Device the same way you do with Firefox, then send to yourself
a mail that you will attempt to sign (using S/MIME, *not* OpenPGP) with
your card-based certificate. That's even simpler than the above, since
you do not need to generate a server certificate at all.


Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140913/6b383b81/attachment.sig>


More information about the Gnupg-devel mailing list