HTTPS bidirectional authentication to build mobile device security system

HTTPS bidirectional authentication to build mobile device security system

For enterprise projects with high security requirements, we sometimes want to be able to authenticate clients. At this point we can use the two-way authentication mechanism of HTTPS to implement this function.

One-way authentication: Ensure that the server is true and that the channel is secure (symmetric key);
Two-way authentication: To ensure that the client and server are true, the channel is secure (symmetric key);

To implement such a complete security system, a CA or OpenSSL self-built CA is required to manage the signing of client certificates. As the project requirements scenario may be, a front-end Web site dedicated to the issuance of certificates, e-mail to download the client certificate mail to the mobile side, the user clicks the link in the Mail download certificate, one-time valid, unable to repeat the download.

Mobile apps can continue to log in using the account, the server will verify the relationship between the account and the client certificate, so that the user account and device binding, user account can only be installed on the user's client certificate of the mobile side login.

The technical details here are Nginx's request for authentication through the client certificate, which add_header the client certificate information into the backend. The server verifies that the user-client certificate correspondence is correct before processing the request.

Nginx is set ssl_client_certificate to your CA certificate path, so Nginx will only receive client certificates that have been issued.

Enabled ssl_verify_client，则开启双向认证 .

There are some variables in nginx that can be used $ssl_client_cert (full certificate), (the $ssl_client_s_dn subject name of the client certificate), $ssl_client_serial (the serial number your CA has issued-their certificate) $ssl_client_verify (which you should check for SUCCESS) . We're all over. Add_header can take these variables to the backend server for processing

HTTPS bidirectional authentication to build mobile device security system