Nginx, SSL bidirectional authentication, PHP, SOAP, Webservice, HTTPS

Source: Internet
Author: User
Tags begin rsa private key soap vars wsdl

This article is 1:1 mode, N:1 mode see the New blog "SSL bidirectional authentication (HD version)"

-----------------------------------------------------I'm a split line----------------------------------------------------- ----

The title is too long do not know how to start, simply put the keyword listed it ~

WebService's WS-* did not take a day, it seems that PHP should be completely abandon the SOAP protocol, Google turned rotten and did not find any reliable solution.

Partners do not want to implement the encryption and decryption signature of those things, no way, had to go to HTTPS, put this piece from the application layer to the bottom.

However, the data security in the communication is divided into several parts: confidentiality, non-tamper, non-repudiation .

The traditional HTTPS call only encrypts the data, resolves the secret and non-tamper problem, solves the client's authentication problem, or is called non-repudiation.

Therefore, SSL two-way authentication with two sets of certificates is required.

The current nginx for SSL bidirectional authentication support is good, the configuration is simple:

    1. ......
    2. Listen 443;
    3. server_name test.com;
    4. SSL on;
    5. Ssl_certificate SERVER.CRT; Server-side Public key
    6. Ssl_certificate_key Server.key; Server-side Private key
    7. Ssl_client_certificate CLIENT.CRT; Client Side Public Key
    8. Ssl_session_timeout 5m;
    9. Ssl_verify_client on; Turn on client validation
    10. ......

In fact, on the basis of regular HTTPS configuration, the client side public key setting is added and client authentication is turned on. (More configuration information refer to Nginx Official document: HTTP://WIKI.NGINX.ORG/HTTPSSLMODULE#SSL)

Once the server is well-equipped, the original WSDL address needs to be accessed via HTTPS. However, client-side certificates are required when accessing clients.

Curl test first, related parameters:

  1. ......
  2. curl_setopt ($ch, Curlopt_ssl_verifypeer, false); //Trust any certificate
  3. curl_setopt ($ch, curlopt_ssl_verifyhost, 0); //Do not check the domain name in the certificate
  4. curl_setopt ($ch, Curlopt_verbose, ' 1 '); //Development mode, will show the information when the communication
  5. curl_setopt ($ch, Curlopt_sslcert, ' client.crt '); //Client CRT
  6. curl_setopt ($ch, curlopt_sslcertpasswd, ' 123456 '); //client certificate password
  7. curl_setopt ($ch, Curlopt_sslkey, ' Client.key '); //Client key
  8. curl_setopt ($ch, Curlopt_post, false); //cannot use post
  9. ......

I am using the NUSOAP implementation of the WebService server (specifically see "Do you like soap?") I don't like it anyway! ), you will see that the bound interface address in the WSDL is already a 443 port address.

Instead of using SOAP calls, PHP comes with soapclient support, just set the following header:

  1. ......
  2. Cert = "Client.pem"; //PEM containing CRT and key content
  3. $header = Array (
  4. ' local_cert ' = $local _cert, //client certificate information
  5. ' passphrase ' = ' 123456 ' //password
  6. );
  7. $client = new SoapClient ($wsdl, $header);

One thing to note is that the contents of the CLIENT.PEM need to include the certificate and the private key information as follows:

    1. -----BEGIN CERTIFICATE-----
    2. Miicdtccad4c ...
    3. -----END CERTIFICATE-----
    4. -----BEGIN RSA PRIVATE KEY-----
    5. MIICXQIBAAKB ...
    6. -----END RSA PRIVATE KEY-----

At this point you will find the following error message still:

    1. soap-error:parsing wsdl:couldn ' t load from ' https://test.com/soap_test.php?wsdl ': Premature end of the data in tag HTML Lin E 1

On Google on a friend similar encounter, the result is the same as I expected: the first time to take the WSDL soapclient the certificate information is not used at all! Grab it with curl and save the cost of the file for the call, all ok~

Nginx, SSL bidirectional authentication, PHP, SOAP, Webservice, HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.