current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite
1

I have the following setup:

There are 2 servers that require an SSL client certificate. The certificate is used for authentication.

A user (using his browser) will do a request to Server1, with his client certificate. So far, so good. Now, what I want to do: Server1 will do a request to Server2, parse that response, and return it to the user.

Server1 does the request with php_curl. I want Server1 to pass the original client certificate (of the user) to Server2 (which will verify the user, ..). Server1 is then posting 'on behalf of' the user.

Is this possible?

Apache has ExportCertData SSLOption enabled. I already tried to add the following headers to the curl options (figuring this was about the same as Apache proxy setup with client certs):

$headers[] = "SSL_CLIENT_S_DN: ".$_SERVER['SSL_CLIENT_S_DN'];
$headers[] = "SSL_CLIENT_I_DN: ".$_SERVER['SSL_CLIENT_I_DN'];
$headers[] = "SSL_SERVER_S_DN_OU: ".$_SERVER['SSL_SERVER_S_DN_OU'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_CLIENT_V_START: ".$_SERVER['SSL_CLIENT_V_START'];
$headers[] = "SSL_CLIENT_V_END: ".$_SERVER['SSL_CLIENT_V_END'];
$headers[] = "SSL_CLIENT_M_VERSION: ".$_SERVER['SSL_CLIENT_M_VERSION'];
$headers[] = "SSL_CLIENT_M_SERIAL: ".$_SERVER['SSL_CLIENT_M_SERIAL'];
$headers[] = "SSL_CLIENT_CERT: ".$_SERVER['SSL_CLIENT_CERT'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_SERVER_M_VERSION: ".$_SERVER['SSL_SERVER_M_VERSION'];
$headers[] = "SSL_SERVER_I_DN: ".$_SERVER['SSL_SERVER_I_DN'];
$headers[] = "SSL_SERVER_CERT: ".$_SERVER['SSL_SERVER_CERT'];

but no luck with those.

share|improve this question
1  
IIRC SSL is end-to-end, you can't proxy it. –  hakre Sep 16 '11 at 10:15
    
Apache can do proxy on SSL connections. Also, I'm ok with setting up a new SSL connection, just, with the same certificate, or is that not possible? I don't quite want to proxy the request either, I'm doing another request, just with the same cert.. –  kclement Sep 16 '11 at 10:21
2  
Client certificates? Then they would not be working as intended any longer. You should try to man in the middle attack the clients connection to make it more transparent. –  hakre Sep 16 '11 at 10:22

1 Answer 1

up vote 2 down vote accepted

You couldn't pass a request with an original client certificate unless you have that certificate with keys and such on hand. This is how SSL works.

If you're running both of the servers you could verify client certificate on Server1 and pass verified information on the Server2 by means of custom headers or whichever you find suits best.

If you're not responsible for the second server, well, no luck for you, because making MITM attacks simple was not one of intentions of SSL creators.

share|improve this answer
    
That is my backup solution. I know it works, but I'd prefer to do authentication of the user based on his SSL cert, rather than another (even though it's trusted) server pasisng me the users' CN as a string parameter. I understand the main-in-the-middle atack danger, but the same problem would also exist with Apache proxy, no? –  kclement Sep 16 '11 at 10:34
    
Sure with certain effort you can pass undecrypted requests like Apache mod_proxy does. But I cannot find any special purpose in this. –  sanmai Sep 16 '11 at 10:39

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.