mTLS

Explaining mutual TLS authentication.

PreviousConnecting to Transparent APIs NextUsing profiles from other vendors

Last updated 3 months ago

Was this helpful?

mTLS

Explaining mutual TLS authentication.

Mutual TLS authentication (also called Mutual SSL authentication, mTLS authentication, or mTLS for short) is a method for clients to authenticate themselves on accessing a server. It is an authentication method implemented on the transport layer. That makes mTLS often a new paradigm for people and sometimes hard to understand. This page should provide some clarity.

In regular TLS communication, only the server presents a certificate in order for the client to verify the identify of the server. In mTLS, the client performing the call to the server presents a certificate as well, enabling the server to verify the identify of the client as well.

To summarize the setup of mTLS compared to regular TLS communication:

The entity performing the call is the client and should present a client certificate.
The entity receiving the call is the server and should verify the client certificate.

KPN certificates

KPNs client certificate and server certificate are the same, and signed:

Intermediate: Sectigo RSA Domain Validation Secure Server CA
Root: Sectigo

How it works

curl -v https://rsp.kpnthings.com/esim-messaging/3/ES4/ES4SmSrService --cert mycert.crt –key mykey.key --CAcert cacert.crt  --data 'test'
 
 
*   Trying 145.128.79.83...
* TCP_NODELAY set
* Connected to rsp.kpnthings.com (145.128.79.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: cacert.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=rsp.kpnthings.com
*  start date: Sep  8 00:00:00 2020 GMT
*  expire date: Sep  9 23:59:59 2021 GMT
*  subjectAltName: host "rsp.kpnthings.com" matched cert's "rsp.kpnthings.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdb4700aa00)
> POST /esim-messaging/3/ES4/ES4SmSrService HTTP/2
> Host: rsp.kpnthings.com
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 4
> Content-Type: application/x-www-form-urlencoded

PreviousConnecting to Transparent APIs NextUsing profiles from other vendors

Last updated 3 months ago

Was this helpful?

To summarize the setup of mTLS compared to regular TLS communication:

The entity performing the call is the client and should present a client certificate.
The entity receiving the call is the server and should verify the client certificate.

KPN certificates

KPNs client certificate and server certificate are the same, and signed:

Intermediate: Sectigo RSA Domain Validation Secure Server CA
Root: Sectigo

How it works

curl -v https://rsp.kpnthings.com/esim-messaging/3/ES4/ES4SmSrService --cert mycert.crt –key mykey.key --CAcert cacert.crt  --data 'test'
 
 
*   Trying 145.128.79.83...
* TCP_NODELAY set
* Connected to rsp.kpnthings.com (145.128.79.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: cacert.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=rsp.kpnthings.com
*  start date: Sep  8 00:00:00 2020 GMT
*  expire date: Sep  9 23:59:59 2021 GMT
*  subjectAltName: host "rsp.kpnthings.com" matched cert's "rsp.kpnthings.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdb4700aa00)
> POST /esim-messaging/3/ES4/ES4SmSrService HTTP/2
> Host: rsp.kpnthings.com
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 4
> Content-Type: application/x-www-form-urlencoded