使用AWS API Gateway的客户端证书 [英] Client certificates with AWS API Gateway
问题描述
我正在尝试为aws api网关和我的服务器之间的通信实现相互身份验证。我想使用亚马逊提供的客户端证书进行身份验证。我知道我的服务器配置正确,因为之前我使用的是lambda函数,并且相互认证正常。
I am trying to implement mutual authentication for the communication between aws api gateway and my server. I want to use the client side certificates that amazon offers for authentication. I know that my server is configured correctly because previously I was using a lambda function and mutual authentication was working.
我已导出(.PEM)证书并将其添加到信任库中。我已将Jetty服务器配置为使用该信任库进行身份验证。我已将client-auth设置为:need。我知道我的服务器设置正确,因为它与我自己实现的相互SSL协同工作。我所做的只是改变信任库。当我测试我的方法网关时返回200:
{message:未知端点错误。}
I have exported the (.PEM) certificate and added it into a truststore. I have configured my Jetty server to use that truststore for authentication. I have set client-auth to :need. I know my server is set up correctly because it was working with with my self-implemented mutual SSL. All I did was change the truststore. When I test my method gateway returns a 200: { "message": "Unknown endpoint error."}
这是服务器日志文件的摘录。似乎服务器端握手完成,但客户端证书出错。
Here is an excerpt from the server log files. It appears that the server side handshake completes, but there is an error with the client certificate.
pConnection @ 3a0a2e84 {FILLING}服务器端握手完成
2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19]
oejiChannelEndPoint - 刷新45
SelectChannelEndPoint@2c05eeb2{ec2-xx-xxx-xxx-x.compute -1.amazonaws.com/5x.xxx.xxx.x:43942<->4000,Open,in,out,-,-,0/200000,SslConnection}{io=0,kio=0,kro=1}
2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19]
oejisSslConnection -
SslConnection @ 50e2de43 {NOT_HANDSHAKING,eio = 0/0,di = -1} - >
HttpConnection @ 3a0a2e84 {FILLING}刷新退出,消耗0 2015-09-28
13:04:29,856 DEBUG [qtp1980278840-19] oejisSslConnection -
SslConnection @ 50e2de43 {NOT_HANDSHAKING,eio = 0 / -1,di = -1} - >
HttpConnection @ 3a0a2e84 {FILLING}展开状态= BUFFER_UNDERFLOW
HandshakeStatus = NOT_HANDSHAKING
pConnection@3a0a2e84{FILLING} server-side handshake completed 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.ChannelEndPoint - flushed 45 SelectChannelEndPoint@2c05eeb2{ec2-xx-xxx-xxx-x.compute-1.amazonaws.com/5x.xxx.xxx.x:43942<->4000,Open,in,out,-,-,0/200000,SslConnection}{io=0,kio=0,kro=1} 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.s.SslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/0,di=-1} -> HttpConnection@3a0a2e84{FILLING} flush exit, consumed 0 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.s.SslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/-1,di=-1} -> HttpConnection@3a0a2e84{FILLING} unwrap Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
推荐答案
我已经解决了这个问题。我发布的服务器日志具有误导性。没有握手,因为我使用的服务器证书是自签名的,而不是由受信任的CA签名。自2015年9月28日起,aws api网关需要由受信任的证书颁发机构签名的证书。因为我的证书是自签名的,所以服务器(和客户端)握手没有完成。希望在将来的版本中解决这个问题。
I have solved this problem. The server logs I posted are misleading. No handshake occurs because the server certificate I was using was self signed, not signed by a trusted CA. As of 9/28/2015, aws api gateway requires a certificate signed by a trusted certificate authority. Because my cert was self signed, the server (and client) handshakes do not complete. Hopefully this problem will be solved in future versions.
这篇关于使用AWS API Gateway的客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
