Reputation: 29
Does mtls work when there are multiple service involved?
Supposed I have 2 services Service A --> Service B
Service A (client) and Service B (server) is already setup to perform mlts where Service A attach the client certificate through a WebRequestHandler that get instantiate onto HttpClient. Now I would like to add a new API service into the mix just like how the diagram below depicted.
API Service --> Service A --> Service B
This API Service does not have client certificate installed, it pass the request through to Service A and use Service A's HttpClient to send the request through to Service B.
This API Service also does not perform mtls with Service A, it utilize other form of security (which I have no control of)
Current I am hitting an error on my new API service where the error simply says
The request was aborted: Could not create SSL/TLS secure channel.
I would like to understand more about mtls in the sense of the following :-
- Does utilizing mtls means the client certificate needs to be presented at the start of the request? (meaning I need to provide client certificate at my new API service)
- What is the proper way of utilizing mtls when working with multiple service that get chained together? Is it something like certificate pass-through?
Upvotes: 0
Views: 50
Answers (1)
Reputation: 123260
Client certificates authenticate the client of a mTLS connection - and only of this direct specific mTLS connection.
Thus if there is a direct mTLS connection between client A and server B and another between client API and server A, then a client certificate for A can be used to authenticate at B and a client certificate for API could be used to authenticate at A.
But a client certificate for API cannot be used to authenticate against B, since there is not direct end-to-end mTLS connection between these. A can also not use the client certificate from API against B since A does not have the matching private key. A could terminate the connection from API though, extract the certificate from API and pass it inside some HTTP header to B. This isn't API directly authenticating against B though, it is still API authenticating against A. But B can use this information if it trusts A.
It is thus possible that API authenticates somehow against A and A then authenticates with a client certificate against B - which is what you are trying to do from my understanding of your question. That you get an error in this case is likely due to a bug in implementing this idea - which cannot be debugged w/o knowing the specific implementation.
Upvotes: 1
Related Questions
- Is the ssl-passthrough configured at the host level, kubernets ingress
- Is Mutual TLS supposed to be performed during TLS handshake only?
- HttpClient isn't using Client Certificate for Mutual TLS Auth
- Returning more verbose error messages from HttpClient on a revoked certificate?
- SSL certificate in multi tier scenario