Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue with mutual ssl authentication and PEM files #140

Open
antxxxx opened this issue Jan 7, 2016 · 9 comments
Open

issue with mutual ssl authentication and PEM files #140

antxxxx opened this issue Jan 7, 2016 · 9 comments

Comments

@antxxxx
Copy link

antxxxx commented Jan 7, 2016

There is an issue when using mutual ssl to connect to a server and the certificates and key are stored in PEM files

If you have this

server certificate signed by intermediate CA 1
client certificate signed by intermediate CA 2
intermediate CA 1 and 2 are both signed by root CA.

if you then put all three CA files in an array called ca, the private key in a variable called key and the client certificate in a variable called client_cert and try to connect to a server set up for mutual ssl using this

    var options = {
        key  : key,
        cert : client_cert,
        ca: ca,
        host: 'ssl secured host',
        port: '443',
        rejectUnauthorized: true
    };

var client = tls.connect(options, function () {...

Then it works using node, but it does not work when running node inside trieme.

However, if you put the key and client cert inside a jks file, then it does work inside trieme, but obviously does not work when running directly under node

    var options = {
        keystore: "certs/client.jks",
        passphrase: "password",
        ca: ca,
        host: 'ssl secured host',
        port: '443',
        rejectUnauthorized: true
    };

var client = tls.connect(options, function () {...

Using PEM files (and also jks file) also works if you have the following

server certificate signed by intermediate CA 1
client certificate signed by intermediate CA 1
intermediate CA 1 is signed by root CA.

@gbrail
Copy link
Contributor

gbrail commented Jan 7, 2016

Thanks for tracking this down!

Let me try to create the CA certs and see if I can reproduce this...

@gbrail
Copy link
Contributor

gbrail commented Jan 7, 2016

This works for me on Trireme 0.8.8. Can you LMK what version you are using or what version of Apigee Edge?

@antxxxx
Copy link
Author

antxxxx commented Jan 8, 2016

I have created an example project at https://github.com/antxxxx/mutual_ssl to illustrate the issue

If you start the server at node/server.js using node
Then try running client/http_client_CA1.js and client/http_client_CA2.js using both node and trireme (version 0.8.8) you can see that both connect correctly using node but http_client_CA2.js does not connect correctly when using trireme

@gbrail
Copy link
Contributor

gbrail commented Jan 8, 2016

Thanks for creating the reproducer!

It looks like on a TLS client we are not adding the CA certs to the key store, which means that the client doesn't offer them to the server, which is why this breaks.

@gbrail
Copy link
Contributor

gbrail commented Jan 8, 2016

To be clear, it's not hard to fix so stay tuned.

@gbrail
Copy link
Contributor

gbrail commented Jan 9, 2016

Checked in a fix to master. Can you build it and try it out?

@antxxxx
Copy link
Author

antxxxx commented Jan 11, 2016

That has fixed it - thanks for the quick response.
Do you know when this will be released - and when it will get deployed to Apigee Edge?

@gbrail
Copy link
Contributor

gbrail commented Jan 12, 2016

Can you open a case with Support? That way we can track it and make sure that we get it resolved and pushed to production.

@gbrail
Copy link
Contributor

gbrail commented Jan 15, 2016

I'd like to do a new Rhino release to pick up a few bug fixes, and then a
new Trireme release. That shouldn't take too long. Then I'd need to get it
into Edge and pushed to the cloud, which takes longer to get deployed...

If you're a customer it's best to open a support request so that the
engineering team knows that this is a priority for you. Thanks!

On Mon, Jan 11, 2016 at 10:44 AM, Anthony Brown [email protected]
wrote:

That has fixed it - thanks for the quick response.
Do you know when this will be released - and when it will get deployed to
Apigee Edge?


Reply to this email directly or view it on GitHub
#140 (comment).

Greg Brail | apigee https://apigee.com/ | twitter @gbrail
http://twitter.com/gbrail @apigee https://twitter.com/apigee

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants