4 Replies Latest reply on Jul 25, 2012 12:40 PM by Alexander Babichev

Access to SSL Distinguished Name information in Rhoconnect Authenticate Method

25c49980-cb2e-4113-a5a7-2f0078c85330 Jul 19, 2012 12:29 AM

Hello again,

I've got another newbie question around Rhoconnect authentication, and I'd appreciate input from anyone who can help!

I'm looking to use a client SSL certificate (and a server certificate) to secure communication between Rhoconnect client and server. To tell NGINX to check for a valid client certificate I can add the following lines to the nginx configuration....

ssl_client_certificate /etc/nginx/certs/ca.crt;

ssl_verify_client on;

So far so good. But what I want to do is make the distinguished name (dn) attribute from the certificate available to my authenticate method. Nginx makes this information available in a built-in variable. I'm not sure how to get that passed to the Rhoconnect thin instance, and to my application.rb in particular. I guess I could push it into the HTTP(s) header or something, but I'm not even really sure where/how to access that.

I've managed to find an example for doing this for PHP invoked through fastcgi - but I've not been able to figure out how to translate this to ruby/Rhoconnect. For php you'd do this (allegedly)...

fastcgi_param DN $ssl_client_s_dn;

include fastcgi_params;

It strikes me as something that could be really useful to other enterprise users, so someone must be doing it.

Many thanks

John

Re: Access to SSL Distinguished Name information in Rhoconnect Authenticate Method

Alexander Babichev Jul 19, 2012 11:45 AM (in response to 25c49980-cb2e-4113-a5a7-2f0078c85330)

Have you had a chance to look at his post:
http://projects.puppetlabs.com/projects/1/wiki/Using_Mongrel_Nginx
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
Re: Access to SSL Distinguished Name information in Rhoconnect Authenticate Method

Alexander Babichev Jul 19, 2012 12:06 PM (in response to 25c49980-cb2e-4113-a5a7-2f0078c85330)

location / {
   proxy_pass http://thin_cluster;

   proxy_set_header    X-Real-IP $remote_addr;
   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header    Host $http_host;
   proxy_redirect        off;

   proxy_set_header    X-Client-DN      $ssl_client_s_dn;
   proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
   proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
   proxy_read_timeout 65;
}

Is it what you want?
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
- Re: Access to SSL Distinguished Name information in Rhoconnect Authenticate Method
  
  25c49980-cb2e-4113-a5a7-2f0078c85330 Jul 20, 2012 12:31 AM (in response to Alexander Babichev)
  
  Alex,
  
  I hadn't seen that post, so thanks for that and your following example. I had considered using the header to pass the information - I had two outstanding questions on doing that - which I'm yet to begin researching:
  
  1) How can I consume the header information inside the authenticate method?
  
  2) How can I be sure it hasn't been spoofed?
  
  When I find out, I'll report back, but if anyone's already figured that out please post.
  
  Thanks
  
  John
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Access to SSL Distinguished Name information in Rhoconnect Authenticate Method
    
    Alexander Babichev Jul 25, 2012 12:40 PM (in response to 25c49980-cb2e-4113-a5a7-2f0078c85330)
    
    On 1st question I would say that you cannot get headers inside auth method.
    
    Why do not use nginx abilities to check for SSL client certificate attributes with the if directive in nginx.conf file
    
    ...
    f ($ssl_client_s_dn !~ "O=some organization") {
    return 403;
    }
    ...
    
    Like Show 0 Likes(0)
    
    Actions

Go to original post