Project 14: TLS Chat Server with Client Certificates

A secure chat server that requires client certificates for authentication (mutual TLS). Generate your own CA, issue certificates, and build both server and client that verify each other.

Quick Reference

Attribute Value
Primary Language C++
Alternative Languages Rust, Go
Difficulty Level 4: Expert
Time Estimate 2 weeks
Knowledge Area Mutual TLS, PKI, Certificate Generation
Tooling Secure internal communication
Prerequisites Project 13, understanding of PKI

What You Will Build

A secure chat server that requires client certificates for authentication (mutual TLS). Generate your own CA, issue certificates, and build both server and client that verify each other.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Certificate generation → maps to openssl commands, X.509 structure
  • Server-side TLS → maps to SSL_accept, loading server cert/key
  • Client certificate validation → maps to SSL_CTX_set_verify with callback
  • Extracting client identity → maps to reading CN from client cert

Key Concepts

  • Mutual TLS: “Bulletproof SSL and TLS” Chapter 8 - Ristić
  • Certificate Authority: “Bulletproof SSL and TLS” Chapter 12 - Ristić
  • OpenSSL Server Setup: “Network Security with OpenSSL” Chapter 5 - Viega
  • Zero Trust Architecture: NIST SP 800-207

Real-World Outcome

# Generate CA and certificates (setup script)
$ ./generate_certs.sh
Created: ca.crt, ca.key
Created: server.crt, server.key
Created: alice.crt, alice.key
Created: bob.crt, bob.key

# Start server
$ ./tls_chat_server --cert server.crt --key server.key --ca ca.crt
Secure chat server on port 9443
Requiring client certificates signed by our CA

# Client connects with certificate
$ ./tls_chat_client --cert alice.crt --key alice.key --ca ca.crt localhost 9443
Connected as alice@example.com (verified by server)

# Server log:
[12:00:01] TLS connection from 127.0.0.1:54321
[12:00:01] Client certificate: CN=alice@example.com
[12:00:01] Verified by CA: CN=My Chat CA
[12:00:02] <alice> Hello everyone!

# Unauthenticated client rejected:
$ ./tls_chat_client localhost 9443
Error: handshake failed - client certificate required

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_CPP_NETWORK_PROGRAMMING.md
  • “Bulletproof SSL and TLS” by Ivan Ristić