How to mimic browser X509 client certificate verif

2019-02-28 08:09发布

问题:

I was reading this article on authentication via a X509 client certificate, but I won't be able to get the server to request a client certificate as I'm running the application on Heroku, so I've no access to the HTTP layer.

I saw a response to a similar question on Stackoverflow that said to use custom headers.

I would like to mimic the client certificate verification with an application server using custom headers. I'm using Ruby, so if anyone knows of a library that already accomplishes this task, that would be helpful. Otherwise, is it possible and what are the resources I will need? I found this SO question but it's about verifying SSL certificates and I'm not sure if that applies.

Sorry for the vagueness of the question but I'm at the beginning point on this.

回答1:

Your app stack isn't able to control SSL cause it's terminated on the web server. All the verification stuff is done by the web server and then only SSL_* headers go to the app server (look for Apache's SSLOptions for example). If you can't control web server you probably cant even turn on client certificate requirement. And i can't find any options to turn this requirement on via heroku: https://devcenter.heroku.com/articles/ssl#customdomain-ssl

If you've got SSL_* headers somehow then, regardless of web-server-side verification, you can verify certificate (commonly in the SSL_CLIENT_CERT header) using openssl as an army knife. See this for example in ruby: OpenSSL verify certificate from own CA

Also keep in mind that certificate verification is the process of checking certificate sign and other properties e.g. formal checking. To authenticate user you have to link that verified certificate to user by DN or E field, for example.