3.2.3. Procedure – Transferring certificate information in one-sided HTTPS

Purpose: 

Client authentication in HTTPS is sometimes based on inspecting the certificate of the client. When Zorp is protecting the server, keybridging can be used to transfer the information from the client certificate to the server. However, in one-sided SSL connections (for example, if the communication between Zorp and the server is not encrypted), the server does not receive an SSL certificate, therefore user authentication must use another method. A simple solution to this problem is as follows:

Zorp requests a certificate from the client the usual way, extracts the required information from the client certificate, then inserts this information into an HTTP header. The server then authenticates the user based on the information received in the HTTP header. To accomplish this, create a special HttpProxy using the Class editor.

Steps: 

  1. Navigate to the Zorp ZMC component, and click on the Class editor icon in the menu bar.

  2. Click New, then select the General tab.

  3. Enter a name for the class (for example, HttpsCertProxy).

  4. Select Parent class > OnesidedHttpsProxy.

  5. Select Class type > proxy.

  6. Type or paste the following Python code. Based on these settings, the header of the proxy class will be generated automatically into the Source code field. You have to type the remaining part manually, or paste it from this document.

    Warning

    The source code has to confirm to the syntax requirements of the Python language. Handle indentation with great care, since in Python indentation forms the blocks of code that are on the same level (many other languages use brackets for this purpose, for example, C uses curly brackets).

    Python:

    def config(self):
        OnesidedHttpsProxy.config(self)
            self.request_header["X-User-Certificate"]=\
            (HTTP_HDR_INSERT, self.tls.client_peer_certificate.subject)
  7. Click OK and Close.

  8. Create a service that will use this new proxy (for example, HttpsCertProxy), or modify an existing one.