Proxy to url with Mutual SSL

[Tiago Alves]

Hi,

I'm using wiremock to proxy to a url that uses Mutual Ssl. The client has a keystore and truststore and wanted it proxied through wiremock. I've tested this and it isn't working. Can anyone confirm if this is possible?

[joe.p...@bluewin.ch]

I was calling a service requiring a client cert through wiremock but to do that I added the client keystore in the wiremock proxy.
imho I don't see how the connection behind (wiremock to service) can build a secure connection if it doesn't have the relevant client certificate private key.
Also if what you wanted was possible it would make implementing a "man in middle" attack pretty trivial ;-)

[Tom Akehurst]

This is possible when you're reverse proxying from WireMock (it's not possible when forward proxying due to the reason Joe explained). You need to build a trust store containing your client certificate and configure WireMock to use it.

[Ravi Kharatmal]

I am also facing issue in proxying HTTPS URL that needs mutual SSL. I understand this answer which says "You need to build a trust store containing your client certificate and configure WireMock to use it." but my issue is on top of this. 

Issue & Analysis:

• In my case, I have separate keystore file & truststore file. Keystore is the cert that I need to send to HTTPS URL & truststore is a simple trust. 
  
• I see that wiremock provides a way to configure both separately 
  • keystore - https://github.com/wiremock/wiremock/blob/master/src/main/java/com/github/tomakehurst/wiremock/core/WireMockConfiguration.java#L211
  • truststore - https://github.com/wiremock/wiremock/blob/master/src/main/java/com/github/tomakehurst/wiremock/core/WireMockConfiguration.java#L251
• But the issue is in the code of HttpClientFactory. buildSslContext() https://github.com/wiremock/wiremock/blob/master/src/main/java/com/github/tomakehurst/wiremock/http/HttpClientFactory.java#L146
• HttpClientFactory >  buildSSLContextWithTrustStore() uses truststore for both key & trust instead of keystore as key & truststore as trust. Keystore configuration in being ignored here.

Proposed solution:

• I think it should use use keystore in line "  .loadKeyMaterial(trustStore, trustStoreSettings.password().toCharArray());" instead of truststore. 
• So it should be something like "  .loadKeyMaterial(keystore, keystoreSettings.password().toCharArray());"
  
• This was keystore will be used to pass as client cert in mutual SSL & truststore will be used to trust target.

Code snippet:

private static SSLContext buildSSLContextWithTrustStore(
      KeyStoreSettings trustStoreSettings,
      boolean trustSelfSignedCertificates,
      List<String> trustedHosts) {
    try {

      KeyStore trustStore = trustStoreSettings.loadStore(); SSLContextBuilder sslContextBuilder =
          SSLContextBuilder.create()
              .loadKeyMaterial(trustStore, trustStoreSettings.password().toCharArray());  ------> Change proposed here
      if (trustSelfSignedCertificates) {
        sslContextBuilder.loadTrustMaterial(new TrustSelfSignedStrategy());
      } else if (containsCertificate(trustStore)) {
        sslContextBuilder.loadTrustMaterial(
            trustStore, new TrustSpecificHostsStrategy(trustedHosts));  --------> This is fine
      } else {
        sslContextBuilder.loadTrustMaterial(new TrustSpecificHostsStrategy(trustedHosts));
      }

[Ravi Kharatmal]

Also just to add, I also tried below temporary workaround which works but I would prefer above proposed solution so that keystore & truststore can be configured appropriate to their meaning.

Temporary workaround:

• In WireMockConfiguration, set attributes  trustStorePath and  trustStorePassword with the values of your client keystore path & keystore password. This seems counter-intuitive but no other workaround.
• This way  HttpClientFactory >  buildSSLContextWithTrustStore() will use this in " SSLContextBuilder.create().loadKeyMaterial()" & pass it on to target URL for mutual SSL.