This lab demonstrates secure communication between a client and a server using X.509 certificates, TLS 1.2+, mutual TLS (mTLS), and certificate revocation via CRL (Certificate Revocation List). The goal was to fulfill both the base (G) and advanced (VG) grading requirements for a practical cryptography assignment.
- Set up a private CA using Easy-RSA v3
- Generate and sign a server certificate
- Generate and sign a client certificate
- Configure NGINX to use HTTPS and require client certificates
- Configure a client to authenticate using the client certificate
- Implement CRL-based certificate revocation
- Enforce use of TLS version 1.2 or later
- Ensure the server logs which client certificate (CN) is used
- Ensure the client validates the server certificate against CRL in the same connection (to prevent TOCTOU vulnerability)
- Server: NGINX configured with TLS 1.2+, client certificate requirement, and CRL validation using
ssl_crl. - Client: A Bash script (
client.sh) usingcurlto authenticate via mTLS and perform CRL validation with--crlfile, all within one connection. - CRL generation: Using Easy-RSA's
revokeandgen-crlcommands. - TLS Enforcement: Server configured to only accept TLSv1.2+, and client explicitly requests it.
- Logging: NGINX logs the CN of the client certificate in each HTTPS request using
ssl_client_s_dn.
- Tested with valid client and server certificates: connection successful.
- Revoked server certificate and updated CRL: client failed to connect with
curl: (60) SSL certificate problem: certificate revoked.
client.sh: The client script with TLS and CRL validationx509_tls_client_report.txt: A text report describing the CRL validation implementation and verificationserver.conf: NGINX TLS configuration (if included)docker-compose.yml: For container orchestrationserver_share/: Contains CA, CRL, and server certsclient_share/: Contains client certs
This project was developed as part of a university cryptography lab and follows the lab license policies.