如何读取服务器端客户端发送的 TLS 证书?

我正在尝试使用 Curl 命令调用具有 Mutual TLS 的服务。

使用 Curl 命令:

curl -k -vvvv \
--request POST \
--header "Content-Type: application/json" \
--cert client.pem:password \
--key key.pem \
"https://test.com:8443/testing"

我试图找出以下几点:

  1. 我应该在服务器端查看哪个 HTTP 请求头,以便从 HTTP 请求中提取客户端证书?

  2. 如果我不能从 HTTP 请求中提取出服务器端的客户端证书,我可以在 HTTP 请求中添加一个自定义请求标头并将客户端证书作为该自定义标头的值发送吗?如果有人能提供这种方法的示例,那就太好了。

233652 次浏览
小开
最佳答案

A client sends a TLS certificate when mutual TLS is used.

In the mutual TLS handshake, the TLS client certificates are not sent in HTTP headers. They are transmitted by the client as part of the TLS messages exchanged during the handshake, and the server validates the client certificate during the handshake. Broadly there are two parts to the mTLS handshake, the client validates and accepts the server certificate and the server validates and accepts the client certificate.

If the client certificate is accepted, most web servers can be configured to add headers for transmitting the certificate or information contained on the certificate to the application. Environment variables are populated with certificate information in Apache and Nginx which can be used in other directives for setting headers.

As an example of this approach, the following Nginx config snippet will validate a client certificate, and then set the SSL_CLIENT_CERT header to pass the entire certificate to the application. This will only be set when then certificate was successfully validated, so the application can then parse the certificate and rely on the information it bears.

server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/chainedcert.pem;  # server certificate
ssl_certificate_key /path/to/key;          # server key


ssl_client_certificate /path/to/ca.pem;    # client CA
ssl_verify_client on;
proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;


location / {
proxy_pass http://localhost:3000;
}
}
小开

This is how I did it:

curl -v \
--key ./admin-key.pem \
--cert ./admin.pem \
https://xxxx/api/v1/

提交答案