SSL Client certificate injection using reverse and forward proxies
Here is a little trick to connect to a server that requires a SSL Client certificate when your client does not support it.
To make it work your client must be able to use a proxy. We will use this proxy to rewrite certain servers to a reverse proxy that injects the client certificate.
Lets get to the good stuff![1]
Lets start with the forward proxy, this is what will be configured in your browser, webapp…
Listen 8080 <VirtualHost *:8080> LogLevel error ErrorLog logs/error_log-fp TransferLog logs/transfer_log-fp #RewriteLogLevel 9 #RewriteLog logs/rewrite_log-fp RewriteEngine On RewriteRule proxy:https://secure.blackdot.be/(.*) https://127.0.0.1:9901/$1 [P] RewriteRule proxy:https://repository.blackdot.be/(.*) https://127.0.0.1:9902/$1 [P] ProxyRequests On ProxyVia On <Proxy *> Order allow,deny allow from all # you may want to narrow this down to only the client's IP </Proxy> </VirtualHost>
We will filter out request for secure.blackdot.be and repository.blackdot.be, then we send the request to our reverse proxies. Other request will be passed along untouched. The proxy is listening on port 8080.
LoadModule ssl_module modules/mod_ssl.so Listen 127.0.0.1:9901 <VirtualHost 127.0.0.1:9901> LogLevel error ErrorLog logs/error_log-rp TransferLog logs/transfer_log-rp SSLProxyEngine on SSLProxyCACertificateFile conf/ssl/RP9901CA.crt SSLProxyMachineCertificateFile conf/ssl/RP9901CERT.crt SSLProxyVerifyDepth 10 SSLProxyVerify none # IP app server ProxyRequests Off ProxyPass / https://secure.blackdot.be/ ProxyPassReverse / https://secure.blackdot.be/ </VirtualHost>
The reverse proxy on port 9901 will proxy the requests to secure.blackdot.be, it will offer the client certificate stored in conf/ssl/RP9901CERT.crt.[2]
You would create a similar reverse proxy on port 9902 for repository.blackdot.be.
This should be enough to get this working, if not… your probably shouldn’t be using SSL Client Authentication.