使用Heroku获取相互SSL认证信息 [英] Getting Mutual SSL Authentication information with Heroku
问题描述
我正在寻找与Heroku建立相互SSL认证,第三方调用Heroku端点,而Heroku的响应取决于哪个第三方调用Heroku。我需要使用双方的SSL协议,因为第三方的安全意识非常强。
我有第三方使用证书调用Heroku(通过SSL附加组件)能够得到回应。因此,相互SSL握手似乎已经奏效。然而,我的应用程序无法确定哪个第三方调用了Heroku,因为没有要检查的证书信息。我查看了Heroku头文件,看看是否有附加信息由SSL附加提供,但找不到任何东西。
有没有办法获得证书Heroku SSL是通过使用Amazon Elastic Load Balancers(ELB)实现的,它通过Heroku的其他方法通过相互的sal握手来获得信息?
,它在Heroku的路由网格前面提供了SSL终止和你的SSL证书。
由于SSL终止并且协商的细节没有通过,所以但是,如果您的目标是使用基于证书的身份验证来验证HTTP客户端,则您无法从相互SSL握手中获取证书信息。 ,您可以在应用程序层构建它。
免责声明:我不是密码专家,您应该在创作任何加密之前咨询密码基于认证机制m。
客户端证书可用于签署可验证的令牌。通常,身份验证令牌将包含一些 user_id ,a 时间戳和大于 nonce 。您可以通过HTTP头或HTTP查询参数将此请求传递给该请求,从而在应用程序级别提供身份验证,而不是SSL级别。
例如:
#半傀儡ruby-ish伪代码
def generate_auth_token(user_id,cert_private_key)
auth_payload =#{user_id} ::#{timestamp} ::#{nonce}
token = sign(cert_private_key,auth_payload)
end
$ b def authenticate(cert_public_key,token)
user_id = extract_user_id(令牌)
valid_token = validate_signature(令牌,cert_public_key)
valid_token? user_id:无
结束
def validate_signature(cert_public_key,令牌)
#如果签名无效,则为假密钥基于密钥
#如果时间戳不是最近
#如果格式不合法,则为False
#否则为真
结束
$ / code>
I'm looking to build a mutual ssl authentication with Heroku, where a third party calls a Heroku endpoint and the response from Heroku is dependant on which third party calls Heroku. I need to use mutual ssl as the third parties are very security conscious.
I have a third party calling Heroku (via the SSL add-on) with a certificate and am able to get a response. So the mutual SSL handshake appears to have worked.
However my application is unable to determine which third party has called Heroku as there is no certificate information to examine. I've looked at the Heroku headers to see if there is additional information provided by the SSL add on, but could not find anything.
Is there a way to get certificate information from the mutual sal handshake via any other method for Heroku?
Heroku SSL is implemented using Amazon Elastic Load Balancers (ELB), which provide SSL termination with your SSL cert in front of Heroku's Routing Mesh.
Because the SSL is terminated and details of the negotiation are not passed through, there is no way for you to get certificate information from the mutual SSL handshake.
However, if your goal is to use certificate based authentication to authenticate the HTTP client, you can build that in at the application layer.
Disclaimer: I am not a cryptographer and you should consult with one before authoring any crypto-based authentication mechanism.
The client's certificate could be used to sign a token that you could verify. Usually, an authentication token would include some user_id, a timestamp and large nonce. You can pass this via an HTTP header or HTTP query parameter with the request, providing authentication at the app level, not the SSL level.
For Example:
# Half-ass ruby-ish pseudocode
def generate_auth_token(user_id, cert_private_key)
auth_payload = "#{user_id}::#{timestamp}::#{nonce}"
token = sign(cert_private_key, auth_payload)
end
def authenticate(cert_public_key, token)
user_id = extract_user_id(token)
valid_token = validate_signature(token, cert_public_key)
valid_token ? user_id : nil
end
def validate_signature(cert_public_key, token)
# False if signature isn't valid cryptographically based on key
# False if timestamp isn't recent
# False if format isn't legit
# Otherwise true
end
这篇关于使用Heroku获取相互SSL认证信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
