Reputation: 191
Client certificates with AWS API Gateway
I am trying to implement mutual authentication for the communication between aws api gateway and my server. I want to use the client side certificates that amazon offers for authentication. I know that my server is configured correctly because previously I was using a lambda function and mutual authentication was working.
I have exported the (.PEM) certificate and added it into a truststore. I have configured my Jetty server to use that truststore for authentication. I have set client-auth to :need. I know my server is set up correctly because it was working with with my self-implemented mutual SSL. All I did was change the truststore. When I test my method gateway returns a 200: { "message": "Unknown endpoint error."}
Here is an excerpt from the server log files. It appears that the server side handshake completes, but there is an error with the client certificate.
pConnection@3a0a2e84{FILLING} server-side handshake completed 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.ChannelEndPoint - flushed 45 SelectChannelEndPoint@2c05eeb2{ec2-xx-xxx-xxx-x.compute-1.amazonaws.com/5x.xxx.xxx.x:43942<->4000,Open,in,out,-,-,0/200000,SslConnection}{io=0,kio=0,kro=1} 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.s.SslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/0,di=-1} -> HttpConnection@3a0a2e84{FILLING} flush exit, consumed 0 2015-09-28 13:04:29,856 DEBUG [qtp1980278840-19] o.e.j.i.s.SslConnection - SslConnection@50e2de43{NOT_HANDSHAKING,eio=0/-1,di=-1} -> HttpConnection@3a0a2e84{FILLING} unwrap Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
Upvotes: 7
Views: 11934
Answers (1)
Reputation: 191
I have solved this problem. The server logs I posted are misleading. No handshake occurs because the server certificate I was using was self signed, not signed by a trusted CA. As of 9/28/2015, aws api gateway requires a certificate signed by a trusted certificate authority. Because my cert was self signed, the server (and client) handshakes do not complete. Hopefully this problem will be solved in future versions.
Upvotes: 9
Related Questions
- NGINX: Client Side Certificate
- Access client certificate in AWS lambda
- Verify API Gateway client certificate in ELB
- AWS API Gateway - Use Client-Side SSL Certificates
- How to configure backend server to use client side SSL certificates generated by aws gateway api?
- AWS API Gateway and AWS Lambda - handling client certificate
- AWS API-Gateway client authentication and NGINX
- SSL Client Certificate Amazon API Gateway
- aws api gateway client-side ssl certificate verification with nginx
- AWS Api Gateway - Lambda Function Client Certificate