issue with mutual ssl authentication and PEM files

[antxxxx]

There is an issue when using mutual ssl to connect to a server and the certificates and key are stored in PEM files

If you have this

server certificate signed by intermediate CA 1
client certificate signed by intermediate CA 2
intermediate CA 1 and 2 are both signed by root CA.

if you then put all three CA files in an array called ca, the private key in a variable called key and the client certificate in a variable called client_cert and try to connect to a server set up for mutual ssl using this

    var options = {
        key  : key,
        cert : client_cert,
        ca: ca,
        host: 'ssl secured host',
        port: '443',
        rejectUnauthorized: true
    };

var client = tls.connect(options, function () {...

Then it works using node, but it does not work when running node inside trieme.

However, if you put the key and client cert inside a jks file, then it does work inside trieme, but obviously does not work when running directly under node

    var options = {
        keystore: "certs/client.jks",
        passphrase: "password",
        ca: ca,
        host: 'ssl secured host',
        port: '443',
        rejectUnauthorized: true
    };

var client = tls.connect(options, function () {...

Using PEM files (and also jks file) also works if you have the following

server certificate signed by intermediate CA 1
client certificate signed by intermediate CA 1
intermediate CA 1 is signed by root CA.

[gbrail]

Thanks for tracking this down!

Let me try to create the CA certs and see if I can reproduce this...

[gbrail]

This works for me on Trireme 0.8.8. Can you LMK what version you are using or what version of Apigee Edge?

[antxxxx]

I have created an example project at https://github.com/antxxxx/mutual_ssl to illustrate the issue

If you start the server at node/server.js using node
Then try running client/http_client_CA1.js and client/http_client_CA2.js using both node and trireme (version 0.8.8) you can see that both connect correctly using node but http_client_CA2.js does not connect correctly when using trireme

[gbrail]

Thanks for creating the reproducer!

It looks like on a TLS client we are not adding the CA certs to the key store, which means that the client doesn't offer them to the server, which is why this breaks.

[gbrail]

To be clear, it's not hard to fix so stay tuned.

[gbrail]

Checked in a fix to master. Can you build it and try it out?

[antxxxx]

That has fixed it - thanks for the quick response.
Do you know when this will be released - and when it will get deployed to Apigee Edge?

[gbrail]

Can you open a case with Support? That way we can track it and make sure that we get it resolved and pushed to production.

[gbrail]

I'd like to do a new Rhino release to pick up a few bug fixes, and then a
new Trireme release. That shouldn't take too long. Then I'd need to get it
into Edge and pushed to the cloud, which takes longer to get deployed...

If you're a customer it's best to open a support request so that the
engineering team knows that this is a priority for you. Thanks!

On Mon, Jan 11, 2016 at 10:44 AM, Anthony Brown notifications@github.com
wrote:

That has fixed it - thanks for the quick response.
Do you know when this will be released - and when it will get deployed to
Apigee Edge?

—
Reply to this email directly or view it on GitHub
#140 (comment).

Greg Brail | apigee https://apigee.com/ | twitter @gbrail
http://twitter.com/gbrail @apigee https://twitter.com/apigee