Plug get certificate information

Hey people,

I want to ask if there is a way to get the certification information when processing the request with Plug? I am trying to see if it’s possible to build something like described here: https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326.

However, as far as I can see there is no easy way to get a peer certificate. Could someone please advise if this can be done?

You are looking for the Plug.Conn.get_peer_data/1 function.

Note that if works only if your Phoenix server is the TLS endpoint. Otherwise, if the TLS endpoint is a proxy, the typical approach is to send the certificate information from the proxy to the backend in HTTP headers (but the proxy has to strip them before processing the request, otherwise anyone can inject any value in these headers).

Also I’ve implemented mTLS from RFC8705 here: APIacAuthMTLS.

2 Likes

That’s exactly what I am looking for. And regarding your lib. Will it work without Phoenix?

Yep it just depends on Plug.

But pay attention to the fact that, following the RFC, it requires:

  • an application/x-www-form-urlencoded body
  • a client_id parameter in it which is used to determine which certificate value (DN for instance) is accepted for this client

It was implemented mainly for OAuth2 conformance, so it may not suit your needs.

Also note that as far as I know it hasn’t been reviewed by someone else with a security + Elixir background.

1 Like