[HTTPS] Two-way SSL – SSL雙向驗證 on Nginx

NickNetwork, Nginx, Web Server

Intro

Two-way SSL即Server端也要求Client端提供certificate做驗證,handshake流程上是Client端先驗證Server端後才換Server端驗證Client端。


圖片來源:web-service-principles - HTTP

Client端憑證

Client端提供終端憑證並設定使用該憑證對應的Private Key; Server端設定Client端的CA憑證,以用於驗證Client端提供的終端憑證。

[Server] TLS/SSL憑證(Certificate)常用指令 – 製作CSR

Nginx設定

Nginx可以在Server block上啟用驗證Client端certificate:

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/public.crt;
    ssl_certificate_key /etc/nginx/ssl/private.rsa;

    # Client certificate verification
    ssl_client_certificate /etc/nginx/ssl/client_ca.pem;
    ssl_verify_client on;

    server_name api.my_domain.com;

    location / {
       # ...
    }
}

Client端範例

CURL

$ curl https://two-way-ssl.local --cert client.crt' --key client.key [--pass passPhrase]

# Key也可以bundle至CRT
$ curl https://two-way-ssl.local --cert crt-with-key.crt'

# PKCS#12 方法
$ curl https://two-way-ssl.local --cert-type P12 --cert cert.p12:password

PHP Guzzle

$response = $client->get('/', [
        'cert' => '/path/client.crt',
        'ssl_key' => '/path/client.key',     
    ]
);

Pass Phrase情況:

    'cert' => ['/path/client.crt', 'password'],
    'ssl_key' => ['/path/client.key', 'password'],

JAVA (KeyStore)

JAVA 一般使用包含憑證與私鑰的 PKCS#12 格式或者轉成 JKS 載入 java.security.KeyStore

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(getClass().getResourceAsStream("/path/to/client_certificate.p12"), "passpharse".toCharArray());

// Build SSL configuration by keyStore

Leave a Reply

Your email address will not be published. Required fields are marked *