Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Client certificates with AWS API Gateway

I am trying to implement mutual authentication for the communication between aws api gateway and my server. I want to use the client side certificates that amazon offers for authentication. I know that my server is configured correctly because previously I was using a lambda function and mutual authentication was working.

I have exported the (.PEM) certificate and added it into a truststore. I have configured my Jetty server to use that truststore for authentication. I have set client-auth to :need. I know my server is set up correctly because it was working with with my self-implemented mutual SSL. All I did was change the truststore. When I test my method gateway returns a 200: { "message": "Unknown endpoint error."}

Here is an excerpt from the server log files. It appears that the server side handshake completes, but there is an error with the client certificate.

pConnection@3a0a2e84{FILLING} server-side handshake completed 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.ChannelEndPoint - flushed 45 SelectChannelEndPoint@2c05eeb2{ec2-xx-xxx-xxx-x.compute-1.amazonaws.com/5x.xxx.xxx.x:43942<->4000,Open,in,out,-,-,0/200000,SslConnection}{io=0,kio=0,kro=1} 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.s.SslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/0,di=-1} -> HttpConnection@3a0a2e84{FILLING} flush exit, consumed 0 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.s.SslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/-1,di=-1} -> HttpConnection@3a0a2e84{FILLING} unwrap Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING

like image 903
swam92 Avatar asked Sep 28 '15 17:09

swam92


1 Answers

I have solved this problem. The server logs I posted are misleading. No handshake occurs because the server certificate I was using was self signed, not signed by a trusted CA. As of 9/28/2015, aws api gateway requires a certificate signed by a trusted certificate authority. Because my cert was self signed, the server (and client) handshakes do not complete. Hopefully this problem will be solved in future versions.

like image 91
swam92 Avatar answered Sep 21 '22 05:09

swam92