使用 php_curl 转发 SSL 客户端证书
我有以下设置:
有 2 台服务器需要 SSL 客户端证书。 该证书用于身份验证。
用户(使用他的浏览器)将使用他的客户端证书向 Server1 发出请求。 到目前为止,一切都很好。 现在,我想做的是: Server1 将向 Server2 发出请求,解析该响应,然后将其返回给用户。
Server1 使用 php_curl 执行请求。 我希望 Server1 将(用户的)原始客户端证书传递给 Server2 (它将验证用户,..)。然后,Server1“代表”用户发布消息。
这可能吗?
Apache 已启用 ExportCertData SSLOption。 我已经尝试将以下标头添加到curl选项中(认为这与使用客户端证书的Apache代理设置大致相同):
$headers[] = "SSL_CLIENT_S_DN: ".$_SERVER['SSL_CLIENT_S_DN'];
$headers[] = "SSL_CLIENT_I_DN: ".$_SERVER['SSL_CLIENT_I_DN'];
$headers[] = "SSL_SERVER_S_DN_OU: ".$_SERVER['SSL_SERVER_S_DN_OU'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_CLIENT_V_START: ".$_SERVER['SSL_CLIENT_V_START'];
$headers[] = "SSL_CLIENT_V_END: ".$_SERVER['SSL_CLIENT_V_END'];
$headers[] = "SSL_CLIENT_M_VERSION: ".$_SERVER['SSL_CLIENT_M_VERSION'];
$headers[] = "SSL_CLIENT_M_SERIAL: ".$_SERVER['SSL_CLIENT_M_SERIAL'];
$headers[] = "SSL_CLIENT_CERT: ".$_SERVER['SSL_CLIENT_CERT'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_SERVER_M_VERSION: ".$_SERVER['SSL_SERVER_M_VERSION'];
$headers[] = "SSL_SERVER_I_DN: ".$_SERVER['SSL_SERVER_I_DN'];
$headers[] = "SSL_SERVER_CERT: ".$_SERVER['SSL_SERVER_CERT'];
但没有运气。
I have the following setup:
There are 2 servers that require an SSL client certificate.
The certificate is used for authentication.
A user (using his browser) will do a request to Server1, with his client certificate.
So far, so good.
Now, what I want to do:
Server1 will do a request to Server2, parse that response, and return it to the user.
Server1 does the request with php_curl.
I want Server1 to pass the original client certificate (of the user) to Server2 (which will verify the user, ..). Server1 is then posting 'on behalf of' the user.
Is this possible?
Apache has ExportCertData SSLOption enabled.
I already tried to add the following headers to the curl options (figuring this was about the same as Apache proxy setup with client certs):
$headers[] = "SSL_CLIENT_S_DN: ".$_SERVER['SSL_CLIENT_S_DN'];
$headers[] = "SSL_CLIENT_I_DN: ".$_SERVER['SSL_CLIENT_I_DN'];
$headers[] = "SSL_SERVER_S_DN_OU: ".$_SERVER['SSL_SERVER_S_DN_OU'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_CLIENT_V_START: ".$_SERVER['SSL_CLIENT_V_START'];
$headers[] = "SSL_CLIENT_V_END: ".$_SERVER['SSL_CLIENT_V_END'];
$headers[] = "SSL_CLIENT_M_VERSION: ".$_SERVER['SSL_CLIENT_M_VERSION'];
$headers[] = "SSL_CLIENT_M_SERIAL: ".$_SERVER['SSL_CLIENT_M_SERIAL'];
$headers[] = "SSL_CLIENT_CERT: ".$_SERVER['SSL_CLIENT_CERT'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_SERVER_M_VERSION: ".$_SERVER['SSL_SERVER_M_VERSION'];
$headers[] = "SSL_SERVER_I_DN: ".$_SERVER['SSL_SERVER_I_DN'];
$headers[] = "SSL_SERVER_CERT: ".$_SERVER['SSL_SERVER_CERT'];
but no luck with those.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
除非您手头有带有密钥等的证书,否则您无法使用原始客户端证书传递请求。这就是 SSL 的工作原理。
如果您正在运行两台服务器,您可以在 Server1 上验证客户端证书,并通过自定义标头或您认为最适合的方式在 Server2 上传递经过验证的信息。
如果您不负责第二个服务器,那么您就不走运了,因为让 MITM 攻击变得简单并不是 SSL 创建者的意图之一。
You couldn't pass a request with an original client certificate unless you have that certificate with keys and such on hand. This is how SSL works.
If you're running both of the servers you could verify client certificate on Server1 and pass verified information on the Server2 by means of custom headers or whichever you find suits best.
If you're not responsible for the second server, well, no luck for you, because making MITM attacks simple was not one of intentions of SSL creators.