Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting Mutual SSL Authentication information with Heroku

Tags:

ssl

ssl-certificate

heroku

mutual-authentication

I'm looking to build a mutual ssl authentication with Heroku, where a third party calls a Heroku endpoint and the response from Heroku is dependant on which third party calls Heroku. I need to use mutual ssl as the third parties are very security conscious.

I have a third party calling Heroku (via the SSL add-on) with a certificate and am able to get a response. So the mutual SSL handshake appears to have worked.

However my application is unable to determine which third party has called Heroku as there is no certificate information to examine. I've looked at the Heroku headers to see if there is additional information provided by the SSL add on, but could not find anything.

Is there a way to get certificate information from the mutual sal handshake via any other method for Heroku?

like image 518
Mark Sivill Avatar asked Mar 15 '13 15:03

Mark Sivill

1 Answers

Heroku SSL is implemented using Amazon Elastic Load Balancers (ELB), which provide SSL termination with your SSL cert in front of Heroku's Routing Mesh.

Because the SSL is terminated and details of the negotiation are not passed through, there is no way for you to get certificate information from the mutual SSL handshake.

However, if your goal is to use certificate based authentication to authenticate the HTTP client, you can build that in at the application layer.

Disclaimer: I am not a cryptographer and you should consult with one before authoring any crypto-based authentication mechanism.

The client's certificate could be used to sign a token that you could verify. Usually, an authentication token would include some user_id, a timestamp and large nonce. You can pass this via an HTTP header or HTTP query parameter with the request, providing authentication at the app level, not the SSL level.

For Example:

# Half-ass ruby-ish pseudocode
def generate_auth_token(user_id, cert_private_key)
  auth_payload = "#{user_id}::#{timestamp}::#{nonce}"
  token = sign(cert_private_key, auth_payload)
end

def authenticate(cert_public_key, token)
  user_id = extract_user_id(token)
  valid_token = validate_signature(token, cert_public_key)

  valid_token ? user_id : nil 
end

def validate_signature(cert_public_key, token)
  # False if signature isn't valid cryptographically based on key
  # False if timestamp isn't recent
  # False if format isn't legit
  # Otherwise true
end
like image 154
Winfield Avatar answered Nov 06 '22 12:11

Winfield
Sign in to Comment

Related questions

Can't install composer due to certificate issues
How to create keystore and truststore using self-signed certificate?
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
SSL verification causes RCurl and httr to break - on a website that should be legit
SSLHandshakeException Trust anchor for certification path not found Android HTTPS
git clone: GnuTLS recv error (-9): A TLS packet with unexpected length was received
Fetch in react native wont work with ssl on android
Avoid sending TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher in TLS Client Hello
InvalidKeyException: Only SecretKey is supported
SSL signed certificates for internal use
Fiddler - Capture and decrypt HTTPS traffic from iPad app
What's a simple way to serve http://localhost as https://someOtherDomain?
ERR_SSL_VERSION_INTERFERENCE on Chrome
using spring-ldap with ssl
Is there a way to configure Azure blob storage to use my domain SSL certificate?
Clear ssl client certificate state from javascript in firefox 33.0.2 (removed Proprietary window.crypto)
ERR_SPDY_PROTOCOL_ERROR Ajax .net web api
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate on Android 4.x and 5.x
need help understanding certificate chains
Create SSL-Socket on Android with self-signed certificate

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!