Cowboy mTLS allowing us to verify client certificates

samfrench · June 2, 2022, 11:18am

We are using Cowboy with a HTTPS listener and would like to do mTLS. We have a similar setup using nginx in another application and specify a certificate file (ssl_client_certificate) which allows us to verify client certificates. We also specify another certificate file (ssl_certificate) to allow clients to verify the server.

Is it possible in Cowboy to specify these two certificates? We can have one for the clients to verify the server but not too sure on how we can verify client certificates. I only see one “certfile” property in the configuration.

Our configuration is similar to this:

[
  certfile: "/path/to/cert.crt",
  keyfile: "/path/to/key.key",
  cacertfile: "/path/to/cacert.crt",
  verify: :verify_peer,
  depth: 3
]

We would like to be able to verify client certificates while allowing the server to present a different certificate to clients for them to trust the server.

There might be documentation for how we can do this but I have not seen anything specifically for this setup or comparable to nginx. Any help with how we can achieve this is appreciated.

moogle19 · June 2, 2022, 12:18pm

You should take a look at Erlang -- ssl
When you specify cacertfile / cacerts on the server-side, these are normally used to verify the client certificate.

LostKobrakai · June 2, 2022, 12:43pm

That’s the documentation for ranch, which is the library cowboy uses underneight.
https://ninenines.eu/docs/en/ranch/2.1/guide/ssl_auth/

voltone · June 2, 2022, 12:56pm

Keep in mind that the cacerts and cacertfile options serve two roles when doing mTLS: they are used to specify the trust store used when verifying the other party’s certificate, and also to look up any intermediates that may need to be included in the ‘chain’ that is sent for the local party’s certificate.

So on a server, the CA certs would have to include the server certificate’s intermediates and the trusted CA that issued the client certs. And on the client, CA certs should include the usual CA trust store (or the specific one that issued the server’s cert, if you want to pin it that way) and any intermediates that should be sent with the client certificate.

In recent OTP versions you can, as an alternative approach, set certs to a list containing the local endpoint’s certificate and intermediates, and in that case cacerts would only have to contain the trust store.

samfrench · June 2, 2022, 3:19pm

Thank you for this. I think I have got further as don’t get an invalid security warning now - due to the certificate configuration not being correct.

I am currently getting an unknown CA but think this is due to the self signed certificates.

curl: (35) error:1401E418:SSL routines:CONNECT_CR_FINISHED:tlsv1 alert unknown ca

I have included all CAs in the “cacerts” property in a list reading them in.

"path/to/ca" |> File.read!() |> X509.Certificate.from_pem!() |> X509.Certificate.to_der()

I assume it will be the certificates I am using and need to add others into the list. I was wondering if there was anything else due to it being self signed but it seems unlikely.

samfrench · June 2, 2022, 4:06pm

I found using “partial_chain” and having a function to return a trusted CA solves this. I think I have got there now. Thank you for the help.

tj0 · June 3, 2022, 5:35am

Can you post your solution for future generations?

edit: relevant xkcd - xkcd: Wisdom of the Ancients

samfrench · June 7, 2022, 4:27pm

The solution that worked is here:

defmodule Router.Https do

  def config() do
    [
      certfile: "cert_file",
      keyfile: "key_file",
      cacertfile: "cacert_file",
      cacerts: cacerts(),
      verify: :verify_peer,
      partial_chain: &partial_chain(cacerts(), &1),
      customize_hostname_check: [
        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
      ],
      secure_renegotiate: true,
      reuse_sessions: false,
      fail_if_no_peer_cert: true
    ]
  end

  defp cacerts() do
    "ca_client_certs_file" |> File.read() |> X509.Certificate.from_pem!() |> X509.Certificate.to_der()
  end

  def partial_chain(cacerts, certs) do
    certs = Enum.map(certs, &{&1, :public_key.pkix_decode_cert(&1, :otp)})
    cacerts = Enum.map(cacerts, &:public_key.pkix_decode_cert(&1, :otp))

    trusted =
      Enum.find_value(certs, fn {der, cert} ->
        trusted? =
          Enum.find(cacerts, fn cacert ->
            extract_public_key_info(cacert) == extract_public_key_info(cert)
          end)

        if trusted?, do: der
      end)

    if trusted do
      {:trusted_ca, trusted}
    else
      :unknown_ca
    end
  end

  defp extract_public_key_info(cert) do
    cert
    |> X509.Certificate.subject()
  end
end