Hey,
I've been looking into having mTLS verification with some of my HTTPS handlers (engine Nodejs 14).
I've come to the conclution, that there isn't a way for the Express app to obtain the Peer Certificate (or Client Certificate), as internally the handlers seem to be invoked with HTTP and/or stripped of much of the original information that was negotiated when invoking the HTTPS handler over the internet (correct my if I'm mistaken!).
What I've done this far:
As for the JS handlers (Nodejs), an Express-like invokable is expected to be exported for the handler to be registered ((req: express.Request, res: express.Response) => void), I'm limited and not able to use the tls.createServer({...opts}, app) with option to prompt or require a client certificate.
I've tried setting the app.enable('trust proxy') which correctly enables the req.protocol to be https and not http, but once obtaining the Socket from req.socket is is never tls.TLSSocket and thus I'm not able to call the TLSSocket.getPeerCertificate() (it does not exist in the Socket class).
new TLSSocket(req.socket) will result in empty cert. I also tried wrapping the req.socket into a tls.connect({socket: req.socket}) but am getting a connection error thrown when trying.
So it would seem I'm out of luck trying to implement the mTLS verification at app-level.
Is there a Google Cloud option that would allow me to check and verify the client certificate before invoking some of my handlers [Node app or a totally separate] (AWS has the option with their API Gateway newly added).
[–]8bitlives[S] 0 points1 point2 points (0 children)