Two-Way SSL Mutual Authentication

We have written an API web service which is running on the world wide web, but we need to limit access to the API. The client is the UK National Health Service (NHS), and they have suggested that we should be checking the client (i.e. their) certificate when doing the SSL handshake. Is there anyway to do this in Xojo?

Having scanned the internet, this is known as “Two-Way SSL Mutual Authentication” and it basically means checking the NHS client certificate is valid in the same way as the client checks the server (i.e. our) certificate is valid against a certificate authority (CA).

Please be gentle! This is outside of my knowledge base.

Thanks in advance

Hi Jim

How does the client software interact with your web api (web browser, in code etc.) and what type of app is running on the server (web application, console service etc.)? Two-way ssl requires both ends of the connection to be setup and configured correctly which is why it’s not widely adopted outside of corporate networks.

I’m assuming your web service is written in Xojo, in which case you’ll be using the built-in SSLSocket in one form or another. Unfortunately I don’t think the SSLSocket exposes the functionality required to be able to implement this within Xojo at present, although I’m aware other developers have raised feature requests for certificate validation to be added.

If you are forced to go down this path by the client then it may be necessary to install nginx or apache on your server which can handle the 2-way ssl and then act as a reverse proxy to pass the connection through to your app running behind it.

1 Like

Thanks @Lawrence_Johnson

The client software is a piece of middleware i.e. in code, and we are running a stand alone web application written in Xojo, exposing the /api HandleSpecialURL interface.

Also, we are still on 2019r3, although, now IE has finally died, it won’t be long before we can move on from that.

Using another web server as a proxy was what we suspected so thanks for confirming that Xojo doesn’t currently handle this. I was hoping that maybe one of the plugins could cope? @Christian_Schmitz ?

Thanks again

When we use CURL requests, we can set a client side SSL certificate and then it is used to connect. Some companies need that to lockout people, who don’t have the certificate.

For the web app, you usually put Apache as reverse proxy in front to do the SSL (including requiring client SSL certificate).

Thanks @Christian_Schmitz, using CURL to send a client certificate is fine if you are the client, but we are the server, and we want to check the client certificate.

It seems like Apache (or other) as a reverse proxy is the way forward.