Search code examples
phpcurlopensslclient-certificates

Forward SSL Client certificate using php_curl

I have the following setup:

There are 2 servers that require an SSL client certificate. The certificate is used for authentication.

A user (using his browser) will do a request to Server1, with his client certificate. So far, so good. Now, what I want to do: Server1 will do a request to Server2, parse that response, and return it to the user.

Server1 does the request with php_curl. I want Server1 to pass the original client certificate (of the user) to Server2 (which will verify the user, ..). Server1 is then posting 'on behalf of' the user.

Is this possible?

Apache has ExportCertData SSLOption enabled. I already tried to add the following headers to the curl options (figuring this was about the same as Apache proxy setup with client certs):

$headers[] = "SSL_CLIENT_S_DN: ".$_SERVER['SSL_CLIENT_S_DN'];
$headers[] = "SSL_CLIENT_I_DN: ".$_SERVER['SSL_CLIENT_I_DN'];
$headers[] = "SSL_SERVER_S_DN_OU: ".$_SERVER['SSL_SERVER_S_DN_OU'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_CLIENT_V_START: ".$_SERVER['SSL_CLIENT_V_START'];
$headers[] = "SSL_CLIENT_V_END: ".$_SERVER['SSL_CLIENT_V_END'];
$headers[] = "SSL_CLIENT_M_VERSION: ".$_SERVER['SSL_CLIENT_M_VERSION'];
$headers[] = "SSL_CLIENT_M_SERIAL: ".$_SERVER['SSL_CLIENT_M_SERIAL'];
$headers[] = "SSL_CLIENT_CERT: ".$_SERVER['SSL_CLIENT_CERT'];
$headers[] = "SSL_CLIENT_VERIFY: ".$_SERVER['SSL_CLIENT_VERIFY'];
$headers[] = "SSL_SERVER_M_VERSION: ".$_SERVER['SSL_SERVER_M_VERSION'];
$headers[] = "SSL_SERVER_I_DN: ".$_SERVER['SSL_SERVER_I_DN'];
$headers[] = "SSL_SERVER_CERT: ".$_SERVER['SSL_SERVER_CERT'];

but no luck with those.

Solution

  • You couldn't pass a request with an original client certificate unless you have that certificate with keys and such on hand. This is how SSL works.

    If you're running both of the servers you could verify client certificate on Server1 and pass verified information on the Server2 by means of custom headers or whichever you find suits best.

    If you're not responsible for the second server, well, no luck for you, because making MITM attacks simple was not one of intentions of SSL creators.