mTLS

Explaining mutual TLS authentication.

Mutual TLS authentication (also called Mutual SSL authentication, mTLS authentication, or mTLS for short) is a method for clients to authenticate themselves on accessing a server. It is an authentication method implemented on the transport layer. That makes mTLS often a new paradigm for people and sometimes hard to understand. This page should provide some clarity.

In regular TLS communication, only the server presents a certificate in order for the client to verify the identify of the server. In mTLS, the client performing the call to the server presents a certificate as well, enabling the server to verify the identify of the client as well.

To summarize the setup of mTLS compared to regular TLS communication:

  • The entity performing the call is the client and should present a client certificate.

  • The entity receiving the call is the server and should verify the client certificate.

LogoAn Introduction to Mutual SSL AuthenticationCodeProject

KPN certificates

KPNs client certificate and server certificate are the same, and signed:

  • Intermediate: Sectigo RSA Domain Validation Secure Server CA

  • Root: Sectigo

How it works

curl -v https://rsp.kpnthings.com/esim-messaging/3/ES4/ES4SmSrService --cert mycert.crt –key mykey.key --CAcert cacert.crt  --data 'test'
 
 
*   Trying 145.128.79.83...
* TCP_NODELAY set
* Connected to rsp.kpnthings.com (145.128.79.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: cacert.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=rsp.kpnthings.com
*  start date: Sep  8 00:00:00 2020 GMT
*  expire date: Sep  9 23:59:59 2021 GMT
*  subjectAltName: host "rsp.kpnthings.com" matched cert's "rsp.kpnthings.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdb4700aa00)
> POST /esim-messaging/3/ES4/ES4SmSrService HTTP/2
> Host: rsp.kpnthings.com
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 4
> Content-Type: application/x-www-form-urlencoded
PreviousConnecting to Transparent APIsNextUsing profiles from other vendors

Last updated

Was this helpful?