Skip to content

Add mutual TLS (client certificate) authentication for outbound HTTPS#558

Open
JakeHuneau wants to merge 1 commit into
OpenAS2:masterfrom
JakeHuneau:feature/https-client-cert-auth
Open

Add mutual TLS (client certificate) authentication for outbound HTTPS#558
JakeHuneau wants to merge 1 commit into
OpenAS2:masterfrom
JakeHuneau:feature/https-client-cert-auth

Conversation

@JakeHuneau

Copy link
Copy Markdown

Partners requiring TLS client certificate authentication on their AS2 endpoints can now be sent to by configuring these partnership attributes, with fallback to properties for a global client identity:

  • https_client_keystore: PKCS12 (or .jks) file holding the private key and certificate chain to present
  • https_client_keystore_password
  • https_client_cert_alias: optional selection of a specific key entry when the keystore holds more than one

The client key material is wired into all three SSL trust paths in HTTPUtil.buildSslFactory (system default, custom self-signed trust store and overridden SSL checks) and flows from AS2SenderModule and MDNSenderModule so messages, async MDNs and resends are all covered. Combines with existing http_user/http_password basic auth.

Tested with a client-auth-required HTTPS server using certificates generated at test runtime plus a live OpenAS2 server run verifying the certificate is presented and that sends fail without it.

Partners requiring TLS client certificate authentication on their AS2
endpoints (e.g. when migrating from Cleo Harmony) can now be sent to by
configuring these partnership attributes, with fallback to properties
for a global client identity:

- https_client_keystore: PKCS12 (or .jks) file holding the private key
  and certificate chain to present
- https_client_keystore_password
- https_client_cert_alias: optional selection of a specific key entry
  when the keystore holds more than one

The client key material is wired into all three SSL trust paths in
HTTPUtil.buildSslFactory (system default, custom self-signed trust
store and overridden SSL checks) and flows from AS2SenderModule and
MDNSenderModule so messages, async MDNs and resends are all covered.
Combines with existing http_user/http_password basic auth.

Tested with a client-auth-required HTTPS server using certificates
generated at test runtime plus a live OpenAS2 server run verifying the
certificate is presented and that sends fail without it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant