Add two way SSL authentication

[fengxx]

pass rejectUnauthorized and requestCert to ssl server, refer to
http://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener

Add instructions to generate client certificate.

[jiehanzheng]

Please keep it consistent and don't use camelCase in command line arguments.

[igrigorik]

I think the capital C makes sense. Lower case is for the server cert, uppercase is the client cert.

[igrigorik]

Thanks Ted!

[zhaostu]

I followed the instructions for two way authentication and it did not work for me. (Node 0.10.5 and spdyproxy 0.2.4).

No auth / password auth works for me. But when using two way auth, Chrome would prompt for the certificate to submit to the server, but the server does not show any logs, the connection doesn't work neither.

Any idea? Thanks!

[igrigorik]

@zhaostu "no auth/password auth works for me" - even the regular HTTP auth?

I'm not sure I would expect the server to log any anything for certificate validation. Besides, the validation here should happen between the client and spdy-proxy, not the destination server (that's a whole separate discussion).

[zhaostu]

@igrigorik Sorry for the confusion. What I really meant was "Without authentication (that everyone can access the proxy) and password authentication (using Basic HTTP Auth) both worked for me."

A little bit more details: I used StartSSL to sign my server cert, and I used the server cert (with linked CA certs) to sign a client cert (as described in the README), import the pfx file to Chrome, when I try to use the proxy, Chrome will prompt me a dialog asking me if I want to submit the client cert (means the -C worked). But after I click OK, Chrome will complain about proxy error.

Any ideas? Thanks for the work!

[fengxx]

The StartSSL signed server cert was not permitted to sign client cert, there is a Key Usage field in signed certificate, by default it only allow SSL communication. you have to become a intermediate CA to sign client certs. To be short, Chrome will not use the client cert because it is invalid.

[fengxx]

@zhaostu you can still use the StartSSL certificate as ssl certificate but use self signed CA to sign client certs, just use -a and -c to specific different certs

spdyproxy -k keys/startssl.pem -c keys/startssl.cer -p 44300 -a keys/selfSignRootCA.pem -C

[zhaostu]

@fengxx Thanks Ted! That now makes a lot of sense now!

Also, keys/selfSignRootCA.pem should be the certificate, not the private key of the self signed root CA. Am I correct?

[fengxx]

yes, it holds the public key.

[zhaostu]

@fengxx @igrigorik Thanks guys, I created my own root CA and it worked.

I'll suggest to put that in the README file so that others that have the same problem can understand this.

Thanks again!