Layer7 API Management

  • Private Community
 View Only

  • 1.  Certificate attributes from HTTPS Session

    Posted May 26, 2022 04:31 AM
    Hi,

    I am trying to automate a certificate pinning process that is consumed by another system.
    The Gateway currently provides a "Known Good" public key hash which the client-in-the-wild validates against the server certificate that they actually received when establishing an HTTPS connection back to base.
    This public key hash is currently in a Gateway cluster property, so needs to manually updated if the server certificate changes.

    I first looked into whether we could use a scheduled task that would:
    - Use a routing statement to send a HTTPS request to the server host (over a trusted connection)
    - Extract certificate attributes from the server certificate received over that HTTPS connection
    - Update the cluster property if it has changed

    But this doesn't seem to be possible, unless I am missing something.

    Turning it around, another approach would be to try and automate importing the server certificate into the Gateway trust store when it is updated.

    Regards,
    Dave V.


  • 2.  RE: Certificate attributes from HTTPS Session

    Broadcom Employee
    Posted May 27, 2022 02:55 PM
    Unfortunately the downstream certificate is not available to policy, so this can't be done easily with a pure policy-based solution in the Gateway. suspect some command-line tool like s_client or curl could probably get the certificate from the route and then post that to Restman to update the cluster-wider property.

    What attributes are you extracting to use in the cluster-wide property?

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Original Message


  • 3.  RE: Certificate attributes from HTTPS Session

    Posted Jun 09, 2022 02:26 AM

    To facilitate "self healing" I have created an external rest service which accepts the route host as a parameter. Using a small python API with OpenSSL that returns a JSON object with all the required fields I need. This is a low usage API as it only gets called on certificate failure.

    from OpenSSL import SSL, crypto
    import certifi, idna

    Place your route into an "at least one" followed by an "All assertion" that store the ${audit.details.last.fulltext}

    This is only way I could capture the actual error of why the route failed.

    Then you check for the SSL fail if the reasonCode was -5

    Then follow that by a process to call the external API, get the certificate payload and install it via restman

     


    Original Message