This PR adds support for mTLS by changing two things:
Supplying the ca and requestCert: true parameters for the server when in use.
Populating the event.identity.clientCert object when new requests come in.
Both of these behaviours only activate if you have a httpsProtocol directory configured in the serverless offline config, and have put a ca.pem file in it alongside the key.pem and cert.pem files.
Motivation and Context
We use mTLS in our environment with API Gateway and want a way to test this locally. Serverless Offline doesn't currently support mTLS (#1730), so we figured it'd be nice to add support for it so we can use Serverless Offline to more fully emulate our AWS setup.
How Has This Been Tested?
You'll need to create some files to test this
Creating a Certificate Authority (CA)
Create a private key for the Certificate Authority (ca.key):
$ openssl genrsa -out ca.key 4096
Self sign it and generate the certificate to identify the certificate authority to clients (ca.pem):
Description
This PR adds support for mTLS by changing two things:
ca
andrequestCert: true
parameters for the server when in use.event.identity.clientCert
object when new requests come in.Both of these behaviours only activate if you have a
httpsProtocol
directory configured in the serverless offline config, and have put aca.pem
file in it alongside thekey.pem
andcert.pem
files.Motivation and Context
We use mTLS in our environment with API Gateway and want a way to test this locally. Serverless Offline doesn't currently support mTLS (#1730), so we figured it'd be nice to add support for it so we can use Serverless Offline to more fully emulate our AWS setup.
How Has This Been Tested?
You'll need to create some files to test this
Creating a Certificate Authority (CA)
ca.key
):ca.pem
):Creating a Certificate for the Server
key.pem
):server.csr
):cert.pem
):Creating a Certificate for the Client
client.key
):client.csr
):client.pem
):Now you should have the following files:
Create a Node JS client passing the
ca.pem
,client.key
andclient.pem
parameters as follows:Screenshots (if appropriate):
This results in the following event being sent to the handler:
I've also tested without the
ca.pem
file in the directory to make sure nothing breaks / changes, and it worked fine for me.