This article is 1:1 mode, N:1 mode see the New blog "SSL bidirectional authentication (HD version)"
-----------------------------------------------------I'm a split line----------------------------------------------------- ----
The title is too long do not know how to start, simply put the keyword listed it ~
WebService's WS-* did not take a day, it seems that PHP should be completely abandon the SOAP protocol, Google turned rotten and did not find any reliable solution.
Partners do not want to implement the encryption and decryption signature of those things, no way, had to go to HTTPS, put this piece from the application layer to the bottom.
However, the data security in the communication is divided into several parts: confidentiality, non-tamper, non-repudiation .
The traditional HTTPS call only encrypts the data, resolves the secret and non-tamper problem, solves the client's authentication problem, or is called non-repudiation.
Therefore, SSL two-way authentication with two sets of certificates is required.
The current nginx for SSL bidirectional authentication support is good, the configuration is simple:
- ......
- Listen 443;
- server_name test.com;
- SSL on;
- Ssl_certificate SERVER.CRT; Server-side Public key
- Ssl_certificate_key Server.key; Server-side Private key
- Ssl_client_certificate CLIENT.CRT; Client Side Public Key
- Ssl_session_timeout 5m;
- Ssl_verify_client on; Turn on client validation
- ......
In fact, on the basis of regular HTTPS configuration, the client side public key setting is added and client authentication is turned on. (More configuration information refer to Nginx Official document: HTTP://WIKI.NGINX.ORG/HTTPSSLMODULE#SSL)
Once the server is well-equipped, the original WSDL address needs to be accessed via HTTPS. However, client-side certificates are required when accessing clients.
Curl test first, related parameters:
- ......
- curl_setopt ($ch, Curlopt_ssl_verifypeer, false); //Trust any certificate
- curl_setopt ($ch, curlopt_ssl_verifyhost, 0); //Do not check the domain name in the certificate
- curl_setopt ($ch, Curlopt_verbose, ' 1 '); //Development mode, will show the information when the communication
- curl_setopt ($ch, Curlopt_sslcert, ' client.crt '); //Client CRT
- curl_setopt ($ch, curlopt_sslcertpasswd, ' 123456 '); //client certificate password
- curl_setopt ($ch, Curlopt_sslkey, ' Client.key '); //Client key
- curl_setopt ($ch, Curlopt_post, false); //cannot use post
- ......
I am using the NUSOAP implementation of the WebService server (specifically see "Do you like soap?") I don't like it anyway! ), you will see that the bound interface address in the WSDL is already a 443 port address.
Instead of using SOAP calls, PHP comes with soapclient support, just set the following header:
- ......
- Cert = "Client.pem"; //PEM containing CRT and key content
- $header = Array (
- ' local_cert ' = $local _cert, //client certificate information
- ' passphrase ' = ' 123456 ' //password
- );
- $client = new SoapClient ($wsdl, $header);
One thing to note is that the contents of the CLIENT.PEM need to include the certificate and the private key information as follows:
- -----BEGIN CERTIFICATE-----
- Miicdtccad4c ...
- -----END CERTIFICATE-----
- -----BEGIN RSA PRIVATE KEY-----
- MIICXQIBAAKB ...
- -----END RSA PRIVATE KEY-----
At this point you will find the following error message still:
- soap-error:parsing wsdl:couldn ' t load from ' https://test.com/soap_test.php?wsdl ': Premature end of the data in tag HTML Lin E 1
On Google on a friend similar encounter, the result is the same as I expected: the first time to take the WSDL soapclient the certificate information is not used at all! Grab it with curl and save the cost of the file for the call, all ok~
Nginx, SSL bidirectional authentication, PHP, SOAP, Webservice, HTTPS