简体繁体 English

使用AWS API Gateway的客户端证书

[英]Client certificates with AWS API Gateway

原文 2015-09-28 17:31:44 0 1 authentication/ ssl/ https/ client-certificates/ aws-api-gateway

I am trying to implement mutual authentication for the communication between aws api gateway and my server. 我正在尝试为aws api网关和我的服务器之间的通信实现相互身份验证。 I want to use the client side certificates that amazon offers for authentication. 我想使用亚马逊提供的客户端证书进行身份验证。 I know that my server is configured correctly because previously I was using a lambda function and mutual authentication was working. 我知道我的服务器配置正确，因为之前我使用的是lambda函数，并且相互认证正常。

I have exported the (.PEM) certificate and added it into a truststore. 我已导出（.PEM）证书并将其添加到信任库中。 I have configured my Jetty server to use that truststore for authentication. 我已将Jetty服务器配置为使用该信任库进行身份验证。 I have set client-auth to :need. 我已将client-auth设置为：need。 I know my server is set up correctly because it was working with with my self-implemented mutual SSL. 我知道我的服务器设置正确，因为它正在使用我自己实现的相互SSL。 All I did was change the truststore. 我所做的就是改变信任库。 When I test my method gateway returns a 200: { "message": "Unknown endpoint error."} 当我测试我的方法网关时返回200：{“message”：“未知端点错误。”}

Here is an excerpt from the server log files. 以下是服务器日志文件的摘录。 It appears that the server side handshake completes, but there is an error with the client certificate. 似乎服务器端握手完成，但客户端证书出错。

pConnection@3a0a2e84{FILLING} server-side handshake completed 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] oejiChannelEndPoint - flushed 45 SelectChannelEndPoint@2c05eeb2{ec2-xx-xxx-xxx-x.compute-1.amazonaws.com/5x.xxx.xxx.x:43942<->4000,Open,in,out,-,-,0/200000,SslConnection}{io=0,kio=0,kro=1} 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] oejisSslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/0,di=-1} -> HttpConnection@3a0a2e84{FILLING} flush exit, consumed 0 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] oejisSslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/-1,di=-1} -> HttpConnection@3a0a2e84{FILLING} unwrap Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING pConnection @ 3a0a2e84 {FILLING}服务器端握手完成2015-09-28 13：04：29,856 DEBUG [qtp1980278840-19] oejiChannelEndPoint - 刷新45 SelectChannelEndPoint@2c05eeb2{ec2-xx-xxx-xxx-x.compute-1.amazonaws .com / 5x.xxx.xxx.x：43942 < - > 4000，Open，in，out， - ， - ，0/200000，SslConnection} {io = 0，kio = 0，kro = 1} 2015-09- 28 13：04：29,856 DEBUG [qtp1980278840-19] oejisSslConnection - SslConnection @ 50e2de43 {NOT_HANDSHAKING，eio = 0/0，di = -1} - > HttpConnection @ 3a0a2e84 {FILLING}刷新退出，消耗0 2015-09-28 13 ：04：29,856 DEBUG [qtp1980278840-19] oejisSslConnection - SslConnection @ 50e2de43 {NOT_HANDSHAKING，eio = 0 / -1，di = -1} - > HttpConnection @ 3a0a2e84 {FILLING} unwrap Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING

1 个解决方案

I have solved this problem. 我已经解决了这个问题。 The server logs I posted are misleading. 我发布的服务器日志具有误导性。 No handshake occurs because the server certificate I was using was self signed, not signed by a trusted CA. 没有握手，因为我使用的服务器证书是自签名的，没有受信任的CA签名。 As of 9/28/2015, aws api gateway requires a certificate signed by a trusted certificate authority. 自2015年9月28日起，aws api网关需要由受信任的证书颁发机构签名的证书。 Because my cert was self signed, the server (and client) handshakes do not complete. 因为我的证书是自签名的，所以服务器（和客户端）握手没有完成。 Hopefully this problem will be solved in future versions. 希望这个问题将在未来版本中得到解决。