In our platform, the client will generate their own self-signed certificate. We will then validate the certificate external from the nginx. I use optional_no_ca and not verify the client with a trusted CA. I perform verification on the server side after nginx
I am now building the production environment with API Gateway and ALB. However, I do not know the equivalent of optional_no_ca. I want the client to verify the server cert but the client certificate should pass through to the server for some application checks.
Related
I saw below piece of code in a gRPC client that works:
ssl_metadata = grpc.ssl_channel_credentials()
channel = grpc.secure_channel('<my_grpc_server_path>:443', ssl_metadata)
I don't have the server code.
How is a secure channel created without a certificate and how will the server communicate over SSL?
I am new at deploying web applications. I have set up a web server on Digital Ocean that is running on top of NGINX. Besides, I have a front application running on Netlify. The connection between the server and the web is not established (error 400) and I suspect a port problem.
I have double-checked the CORS policy, but my guess is that NGINX listens to port 80 for HTTP request (open), while Netlify automatically creates a SSL certificate which makes my requests go through the HTTPS protocol.
My question is: do I need to do anything else than setting up Nginx on the server side in such a way it listens to port 443 (HTTPS port), or do I need to generate another SSL certificate on the server side?
My intuition is option 1, but I feel lost with all these notions.
its CORS error, your Netlify HTTPS will not allow you to hit insecure HTTP API. You need to enable HTTPS on your droplet on Digital Ocean by providing a Domain Name to your application. Follow the link
In the TLS handshake process, the Certificate Verify message will follow the Client Key Exchange message after the server requested a client certificate. The Certificate Verify contains a digital signature computed over all previous handshake messages including the type and length fields of the handshake messages. This process allows the client to prove that it owns the private key of the client certificate it sends to the server.
The idea came from a practical problem. There is an mTLS enabled server that conducts different action policies based on the client certificate received, for example, different welcome pages for different client certificates. If a layer-7 reverse proxy service like the load balancer is placed in front of the proxied server which also requires decrypting the TLS traffic. The proxied server can only get the client certificate information from the HTTP header (for example, set proxy_set_header with $ssl_client_cert variable in NGINX) which requires modifying the logic of the server.
A simple but very troublesome solution is the reverse proxy service stores all the client certificates and their private keys. The reverse proxy service will use the same client certificate it received during the mTLS handshake process to establish the mTLS connection with the proxied server.
Since the reverse proxy service can choose whether to trust the client or not with its own implementation, it is possible to forge the Certificate Verify message by asking the client to send a second Certificate Verify signature when the proxied server needs the reverse proxy service to do so (I know it's like a man-in-the-middle attack)?
Is it possible, in general, for a server to require both client certificate authentication and BASIC authentication?
For example, an intranet site of some sort, which requires :
The machine to have a specific certificate installed (client cert authentication), AND
A valid user to log in (basic authentication)
NOTE: this question isn't about a server supporting one or the other, but both together (as in the requester must authenticate both ways)
Yes, it is possible to have both. The client certificate will be verified during the TLS handshake while basic authentication will be done at the HTTP level, i.e. inside the TLS connection after the TLS handshake is done and the client certificate checked.
I use the same certificate both for client and service authentication on Wcf with message security. Does it cause any serious vulnerability?
You don't want to have the full certification on both the server and client for security reasons. Have a look at this Server / Client Certs