0

I am working on a server to server integration and I want to know from the initiating side of an https request whether client certification authentication was used. Ideally I want to be able to mandate that it is used, however I have no leads on how to achieve this from Java. Currently I am using the Apache Commons Http client.

As I understand from java https client certificate authentication, use of client authentication has to be initiated by the recipient of the https request and I have found nothing client side to mandate it or even to report when it has occurred.

If this behaviour is not possible, then I will probably fall back to encrypting the http payload separately to the https connection. Which means double encryption as https would still be used, and that feels somewhat clunky.

Chris K
  • 11,622
  • 1
  • 36
  • 49
  • I'm struggling to understand why would you need such thing? You know *you* are the good guy, why impose the requirement upon yourself? If this was something client decides the adversary (client) would simply not request it. – Jiri Tousek Jan 30 '18 at 14:39
  • @JiriTousek I work for a very security conscious client, who also wants to help their clients secure their systems. Yes one can take the attitude that it is their problem; however there is the point of view that when one sees a neighbour in trouble that it would be kinda to help them than to walk past them without offering aid. – Chris K Jan 30 '18 at 16:18
  • If you think 'forcing' client auth from client side will prevent or detect MitM (e.g. Superfish, Bluecoat, etc) it won't. _Server_ can detect MitM this way, client can't. Client can only look at (apparent) server cert chain, and it can and should do that exactly the same with or without client auth. – dave_thompson_085 Jan 30 '18 at 16:24
  • @ChrisK That's not my point. I don't see how it could improve security. Client forces the server to provide it's cert in order to trust it. If server needs to trust the client as well, *server* needs to force client authentication (cert or otherwise) - client requiring this doesn't make sense in my view. – Jiri Tousek Jan 30 '18 at 16:36
  • @dave_thompson_085 I was not thinking of that, although it is worth flagging so thank you – Chris K Jan 30 '18 at 17:25
  • @JiriTousek we are looking to improve confidence in our partners security configurations by speeding up detection of misconfigured servers. The standard approaches to raise confidence is to penetration test the server before golive and possibly at intervals after that.. of which, depending upon the client such testing may or may not ever happen. The servers in question are not under our control, and many of them are managed by people who have never heard of penetration testing let alone how to configure client authentication correctly. Hence we are exploring ways to help. – Chris K Jan 30 '18 at 17:44

2 Answers2

1

No. It cannot be enforced from the client side, it is only enforced by the server.

The plain https (one-way) is basically checking if the server is trusted by the client, it the client trusts the server, the communication happens. But the client authentication is a step further, on top of the client trusting the server, the server also tries to authenticate the user. Only if both parties are trusted by each other, the communication happens.

All of this chain of trust verification happens at protocol level. You don't have to worry about how it will happen. All you have to do is setup the chain-of-trust right (certificate chain in truststore).

Your concept of double encryption is not a feasible solution. The client and the server first talk to each other in plain text to see if they can communicate in a secured way (https) here on. Once they come to terms, all of the traffic will be encrypted from there on. Including your payload.

There are few security challenges when you are encrypting the payload on the server and decrypting on the client side using your own key, like, how do you transport the key to decrypt to the client side?

always_a_rookie
  • 4,515
  • 1
  • 25
  • 46
0

Generally, server is the one that will enforce authentication (in your case, client cert auth) but you need to make sure both sides know how to communicate in this way.

I wrote a simple client-cert authenticated Java server/client many years ago that you can take a look at here for some leads.

Srdjan Grubor
  • 2,605
  • 15
  • 17