Reputation: 251
Can JQuery's ajax send client certificate over https?
Here is the scenario: There are two servers, A and B, which are in different domain. When an user visit a web page at server A, it encrypts the website using server A's certificate and return the encrypted website to the user via HTTPS. Then, the user inputted some data.
Now, I want to make an ajax call to server B (at other domain) over HTTPS to submit the data. At server B, I need to check the ajax call is really come from server A. So, I would like to check server A's certificate (client certificate) to validate the call.
My question is: Can JQuery's ajax send server A's certificate over https so I can check it at server B?
Remark: For some reasons, the response cannot go back to server A. It must go to server B directly.
Any help would be really appreciated. Thanks!
Upvotes: 2
Views: 7326
Answers (2)
Reputation: 7931
Now, I want to make an ajax call to server B (at other domain) over HTTPS to submit the data. At server B, I need to check the ajax call is really come from server A. So, I would like to check server A's certificate (client certificate) to validate the call.
You can't really do this, because that's not how it works. Because your JavaScript runs in the client's browser and not on the server, the request doesn't come from server A, it comes directly from the client's computer.
Because of this, what you need to do is validate that the request came from someone who has access to the relevant resource on server A.
One way to do this is to send the response to server A, validate it, then send it on to server B, but you've said you can't do that.
Another way is to generate some token value on server A, send it to the client, and have the client send it to server B, where you can verify it.
For instance, you could have a pre-shared secret known to A and B, use that secret to generate a HMAC of the current time on server A, then on server B, verify the HMAC and check the time to ensure its age is reasonable. There's a number of different ways you could do this.
Finally, you could also simply have server B send an
Access-Control-Allow-Originheader of server A's address only. This is the only way I can think of to do this without modifying server A, and it will protect you from other websites hotlinking, but it will not stop anyone from getting at the resource from server B directly outside of the context of a web browser.
Upvotes: 1
Reputation: 744
If you are wanting to send the certificate from server A along with the ajax post/get to server B for validation I would not bother. Javascript being client side is prone to tampering so you definitely wont want to load up your CRT or CSR into the post data.
What I would recommend doing is check the IP the post comes from then run a bash script on server B that checks that servers certificate using OpenSSL:
http://fdmanana.wordpress.com/2008/07/01/getting-a-servers-certificate-with-openssl/
Granted if someone wanted to spoof their IP to server A's IP you would have no way of knowing.
Edit: You may want to look into something like this: https://developer.mozilla.org/en-US/docs/How_to_check_the_security_state_of_an_XMLHTTPRequest_over_SSL
But keep in mind, sending over the certificate does not validate where the request is coming from since anyone at any time can download your crt and chain files.
http://www.sslshopper.com/ssl-certificate-tools.html
Upvotes: 0
Related Questions
- Bypassing SSL certificate error in jQuery and AJAX
- Using jQuery's ajax() function with an SSL client certificate
- SSL client certificate not loaded on ajax call from Firefox
- Does SSL also encrypt AJAX posts?
- jQuery ajax and SSL?
- Is SSL secure for AJAX calls?
- AJAX and self-signed certificate
- Can Ajax HTTP and HTTPS work side by side?
- jQuery ajax and SSL
- jQuery Ajax request over SSL