Is there a way to specify client certificate options for mutual TLS?

andrewm42 commented 4 years ago

I am trying to convert a nodejs app that uses https to specify a certificate to authorize a request based on mutual TLS, basically making something like the following work in AWS lambda?

const express = require('express')
const fs = require('fs')
const https = require('https')
const opts = {
  key: fs.readFileSync('server_key.pem')
  , cert: fs.readFileSync('server_cert.pem')
  , requestCert: true
  , rejectUnauthorized: false
  , ca: [fs.readFileSync('server_cert.pem')]
};
const app = express()
app.get('/', (req, res) => {
    res.send('<a href="authenticate">Log in using client certificate</a>')
})
app.get('/authenticate', (req, res) => {
  const cert = req.connection.getPeerCertificate()
  if (req.client.authorized) {
    // do something
  }
})
https.createServer(opts, app).listen(9999);

Is that at all possible using this framework?

dougmoscrop commented 4 years ago

Interesting question, I don't know off hand, but would like to support it if possible.

lukeclifton commented 2 years ago

@andrewm42 Did you make any progress with this?

tehnrd commented 1 year ago

I'm curious about this too. The lamba payload does pass the following, so I think this might be possible.

"clientCert": {
        "clientCertPem": "CERT_CONTENT",
        "subjectDN": "www.example.com",
        "issuerDN": "Example issuer",
        "serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
        "validity": {
          "notBefore": "May 28 12:30:02 2019 GMT",
          "notAfter": "Aug  5 09:36:04 2021 GMT"
        }
      }

I'll investigate more, might do a PR if I'm feeling ambitious.

dougmoscrop / serverless-http

Is there a way to specify client certificate options for mutual TLS? #172