Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client cert on Request #186

Open
nyarly opened this issue Aug 10, 2014 · 5 comments
Open

Client cert on Request #186

nyarly opened this issue Aug 10, 2014 · 5 comments
Labels
feature

Comments

@nyarly
Copy link
Contributor

nyarly commented Aug 10, 2014

I'm looking at building a pure-API service with webmachine. I'd like to be able to do SSL and authenticate with client certs, but I realize that accessing the cert itself means digging into the LazyRequestBody with instance_var_get.

I'd like to add a field on Webmachine::Request, but it'd mean adding a little code to each adapter, as far as I can tell.
@nyarly nyarly added the feature label Aug 10, 2014
@Asmod4n
Copy link
Member

Asmod4n commented Aug 10, 2014

I know my stance is rather restrictive when it comes to cryptography, but it shouldn't be run in the same process as the "business logic".

Have you taken a look at nginx http_ssl_module? It can do certificate verification and add the required information to http headers. http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

@seancribbs
Copy link
Member

Actually, it should be perfectly reasonable to do certificate authentication. The problem usually is that every single webserver exposes (or not) this information differently! If we can get to the actual socket, usually you can make OpenSSL calls on it to read the peer cert, but again, it's extremely inconsistent.

@nyarly
Copy link
Contributor Author

nyarly commented Aug 11, 2014

Apache has similar headers that it'll set. It would certainly be nice if Webmachine could handle those correctly (although there's some trickiness around ensuring that fake headers aren't set by the client...)

And yes: every SSL connection terminator has it's own slightly different way of formatting the certificates - from the various Ruby servers that will handle it, to front end servers that'll attach verification headers.

Would the best solution to be to recommend a Rack middleware - possibly a middleware per terminator - to adapt the certificate into a predicatable place and format?

It'd be nice, ultimately, to have Webmachine::Request#client_cert iff the request was verified and not have to worry about it. Realistically, client software is going to have to provide some configuration related to how the SSL is terminated, but getting the verified cert in one place and one format seems like a big win.

@seancribbs
Copy link
Member

I'm not saying don't do it, I'm just saying I've tried before and failed miserably. Please do investigate.

@nyarly
Copy link
Contributor Author

nyarly commented Aug 11, 2014

Okay, cool. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seancribbs @nyarly @Asmod4n