Two way SSL handshake against domain cert only

vlalbahadur1 · 05-12-2020 10:14 AM

For Two Way SSL handshake on VHost(consumer side), Apigee validates the entire chain. In case if full chain is not installed in corresponding truststore then handshake will fail.

Is there any way we can restrict Apigee to validate only the domain certificate instead of checking the full chain.

We have a requirement where we want to install only domain certificate in truststore instead of entire chain.

dchiesa1

For Two Way SSL handshake on VHost(consumer side), Apigee validates the entire chain. In case if full chain is not installed in corresponding truststore then handshake will fail.

I think this is not correct.

One mis-configuration I see in TLS, is that a peer, often a client, will send only the basic certificate and not its full chain, during the TLS handshake. For the rest of this discussion, let's say that this is a client that sends an "incomplete certificate chain". This often happens when the keystore for the TLS peer is misconfigured. Here's a stackoverflow answer that explains it from the point of view of a Java client. The principle is the same for other client platforms or frameworks.

If the client sends an incomplete cert chain, then Apigee (or any receiving peer) cannot verify the remote peer's certificate, if only the root certificate is in the truststore. Conversely, if you add the peer's full certificate chain into the trust store, then.... Apigee will allow the inbound request that carries an incomplete certificate chain.

The way to avoid the problem is to change the client so that it sends the full certificate chain during the TLS handshake. When the client does this, then Apigee (and any TLS compliant peer) will validate the inbound request, using only a root certificate in the truststore.

vlalbahadur1

Thanks Dino,

May be I was not clear, my question is around the Apigee truststore. Assuming that client is sending a full valid chain. And in Apigee truststore, if I have only domain cert of client/TLS peer(no inter or root) will ssl handshake work ? Or is it mandatory to have inter and root as well in Apigee truststore.

If its not mandatory then how to configure it so that it validates against the client's/TLS peer's domain certificate only. It should allow even if only client's/TLS peer's domain certificate is installed in Apigee truststore.

dchiesa1

I'm sorry, I misunderstood the question.

If I have only domain cert of client/TLS peer(no inter or root) will ssl handshake work ?

Yes, if the client sends the full chain (As it should).

Or is it mandatory to have inter and root as well in Apigee truststore.

No.

how to configure it so that it validates against the client's/TLS peer's domain certificate only. It should allow even if only client's/TLS peer's domain certificate is installed in Apigee truststore.

I don't think I understand this part of your question. The TLS certificate validation in Apigee works the same way TLS cert validation works in any TLS-compliant system.

the client is expected to present its cert chain, down to the root CA. Then Apigee looks in the truststore, and tries to verify the chain. I don't know what a "domain certificate" is with respect to a TLS peer.

The client in this case has a certificate that identifies it. Maybe that is what you mean by "domain certficate." I think you want Apigee to treat the peer certificate as valid, even if you don't have its root CA in the trust store. and I think that's a wrong thing to try to do. A Bad Idea. I'm not sure it's possible, but I am sure you should not do that. And I don't want to help you explore doing that.

good luck!

Report Inappropriate Content

@Dino,

I saw you have specified only the client certificate will work if the user sends a full certificate chain in the request. Can you help with little more information on the full chain certificate? What should be the sequence of the certificates and new line is required or not? Thanks...