0

I got the following issue: A browser send a CORS request to a server - this server requires client SSL/TLS authentication (so both, server and client should exchange their certificates). The server is on the different domain than the page loaded to the client - so it requires a CORS request.

Issue 1: IE11 abort preflight requests with two way SSL/TLS certification

Resolution 1: Make the request 'local' and setup an apache proxy (with RewriteRule - but it did't pass the client's certificate and then with proxy pass - but it didn't pass the client's certificate as well).

Issue 2: The client's certificate is not pass with rewrite rules and with proxy pass.

The question: Is there ANY way to pass the client's certificate with an apache proxy? (Without changing the server's API at all).

PS: I've read many threads like this - Apache SSL Proxy can't find client certificate? but I didn't find any solution (and threads like this are old).

Improve this question

1 Answer 1

Reset to default
2

If you have a server, that uses https with client certificates, then you can't put a normal application protocol-level proxy in front of it, the best you can do is a TCP plug or port redirect.

The application server isn't going to settle for a cert in an HTTP header when it wants evidence of ownership of a private key in TLS. The TLS handshaking will need to occur between the client and the server.

Improve this answer
1
  • actually I may be wrong about this. It may be possible to configure a back end to do validation on a cert passed through by the reverse proxy after all. e.g. see serverfault.com/questions/622855/… Commented Jul 26, 2016 at 22:33

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.