http://coldfusion.com logo
Join Slack
Powered by
Certificate pinning to the http requests. Who kno...
# cfml-general
d
Certificate pinning to the http requests. Who knows how to do this in cfml? Doesn't look like cfhttp has this option. I see the clientCert attribute but that is for PKCS12 file, which requires a password to decrypt. I'm working on the SDK for Duo Security, and all their latest SDKs are using PEM certs.
php
Copy code
const DUO_CERTS = __DIR__ . "/ca_certs.pem";
curl_setopt($ch, CURLOPT_CAINFO, self::DUO_CERTS);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
nodejs
Copy code
export const DUO_PINNED_CERT = `
subject= /C=US/O=DigiCert Inc/OU=<http://www.digicert.com/CN=DigiCert|www.digicert.com/CN=DigiCert> Assured ID Root CA
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl ...`

// Axios
const agent = new https.Agent({
   ca: constants.DUO_PINNED_CERT,
});
e
I think you could use CFCURL
d
where is that? this one? https://github.com/iGLOO-be/cf-curl
đź‘Ť 1
w
@Daniel Mejia Not very familiar with this pinning stuff, but isn’t it just an extra header you are sending to the server? Or am I saying something stupid now?
d
Thats a really good question. I will have to see what the actual request looks like in the php and nodejs apps to answer that. I'll Duo as well.
Both Axios in nodejs and curl in php abstract away the ca certs feature. so I'm not sure and there isn't any info in the Duo docs about this.
w
I am trying to understand the protocol. I think you are sending some certificate or hash of a certificate to the other side so they know you are using the right cert type. Totally outdated protocol some people say, but that doesn’t help you if you need it. I think it just sets some header, which means you have to know the details of the header contents. If it really is a header you should be able to use cfhttpparams or other clients like bolthttp or hyper
d
oh yeah. if it is a header i just need to know what the header name should be. Here is the best explanation I can come up with: the intent of including these certificates is to add a line of defense to the client, to attempt to ensure that it never connects to any server that isn't one of Duo's. This should help mitigate attacks such as MITM, IP spoofing, or any kind of DNS trickery. While it's not critical to the operation of the client, it's a nice-to-have.
Copy code
<cfhttp url="duo.com" cacert="duo_certs.pem"> // make sure this request only goes to <http://duo.com|duo.com>
@priyank_adobe Do you know about cert pinning? and how to accomplish this in cfml?
p
@Daniel Mejia Unfortunately, I have never done that before so I am not sure how to do that and if it is at all possible with CFML.
d
Duo dev said:
Certificate pinning doesn't affect the individual requests at all, it's taken into account when the http client is establishing the TLS connection to Duo. It compares the server's TLS certificate to the "pinned" list to determine if it will trust the server. So this definitely relies on the capability of your language's Http client to support.
So, its not anything that the request body or headers has to complete the request. This TLS handshaking is all on the client side.
cfhttp doesn't have this and it doesn't even look like java core has this feature, but there is a java community package that adds that (https://github.com/JakeWharton/retrofit1-okhttp3-client) if you use the retrofit http client. So boo for cfml. No worries though - I am not required to do it so the cfml sdk will be the only that doesn't do it. UNLESS, I redo the sdk to use Retrofit and OkHttp3 for java instead cfhttp.
3 Views
Open in Slack
PreviousNext
Powered by