mTLS#

什么是双向TLS#

基本概念#

双向TLS（Mutual TLS，简称mTLS）是一种双向身份验证机制：

单向TLS：仅服务器向客户端证明身份
双向TLS：服务器和客户端相互验证身份

工作原理#

1
客户端 <---> 服务器
2
  ↓           ↓
3
客户端证书   服务器证书
4
  ↓           ↓
5
  CA验证    CA验证

证书准备#

创建CA#

1
# 创建工作目录
2
mkdir -p ~/mtls/{ca,server,client}
3
cd ~/mtls
4

5
# 生成CA私钥
6
openssl genrsa -out ca/ca.key 4096
7

8
# 生成CA证书
9
openssl req -new -x509 -days 3650 -key ca/ca.key -out ca/ca.crt \
10
  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyOrg/OU=IT/CN=MyCA"
11

12
# 查看CA证书信息
13
openssl x509 -in ca/ca.crt -text -noout

生成服务器证书#

1
# 生成服务器私钥
2
openssl genrsa -out server/server.key 2048
3

4
# 创建证书签名请求（CSR）
5
openssl req -new -key server/server.key -out server/server.csr \
6
  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyOrg/OU=IT/CN=example.com"
7

8
# 创建扩展配置文件
9
cat > server/server_ext.cnf <<EOF
10
authorityKeyIdentifier=keyid,issuer
11
basicConstraints=CA:FALSE
12
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
13
subjectAltName = @alt_names
14

15
[alt_names]
16
DNS.1 = example.com
17
DNS.2 = *.example.com
18
IP.1 = 192.168.1.100
19
EOF
20

21
# 使用CA签发服务器证书
22
openssl x509 -req -days 365 \
23
  -in server/server.csr \
24
  -CA ca/ca.crt \
25
  -CAkey ca/ca.key \
26
  -CAcreateserial \
27
  -out server/server.crt \
28
  -extfile server/server_ext.cnf

生成客户端证书#

1
# 生成客户端私钥
2
openssl genrsa -out client/client.key 2048
3

4
# 创建客户端CSR
5
openssl req -new -key client/client.key -out client/client.csr \
6
  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyOrg/OU=IT/CN=client1"
7

8
# 签发客户端证书
9
openssl x509 -req -days 365 \
10
  -in client/client.csr \
11
  -CA ca/ca.crt \
12
  -CAkey ca/ca.key \
13
  -CAcreateserial \
14
  -out client/client.crt
15

16
# 生成PKCS12格式
17
openssl pkcs12 -export \
18
  -out client/client.p12 \
19
  -inkey client/client.key \
20
  -in client/client.crt \
21
  -certfile ca/ca.crt \
22
  -passout pass:123456

服务器配置#

Nginx配置#

1
server {
2
    listen 443 ssl;
3
    server_name example.com;
4

5
    # SSL证书配置
6
    ssl_certificate /path/to/server/server.crt;
7
    ssl_certificate_key /path/to/server/server.key;
8

9
    # 客户端证书验证
10
    ssl_client_certificate /path/to/ca/ca.crt;
11
    ssl_verify_client on;
12
    ssl_verify_depth 2;
13

14
    # SSL协议和加密套件
15
    ssl_protocols TLSv1.2 TLSv1.3;
16
    ssl_ciphers HIGH:!aNULL:!MD5;
17
    ssl_prefer_server_ciphers on;
18

19
    # Session配置
20
    ssl_session_timeout 10m;
21
    ssl_session_cache shared:SSL:10m;
22

23
    location / {
24
        # 传递客户端证书信息到后端
25
        proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
26
        proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn;
27
        proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
28

29
        proxy_pass http://backend;
30
    }
31

32
    # 可选：根据客户端证书CN进行访问控制
33
    location /admin {
34
        if ($ssl_client_s_dn !~ "CN=admin") {
35
            return 403;
36
        }
37
        proxy_pass http://backend;
38
    }
39
}

Apache配置#

1
<VirtualHost *:443>
2
    ServerName example.com
3
    DocumentRoot /var/www/html
4

5
    # 启用SSL
6
    SSLEngine on
7
    SSLCertificateFile /path/to/server/server.crt
8
    SSLCertificateKeyFile /path/to/server/server.key
9

10
    # 客户端证书验证
11
    SSLCACertificateFile /path/to/ca/ca.crt
12
    SSLVerifyClient require
13
    SSLVerifyDepth 2
14

15
    # SSL协议配置
16
    SSLProtocol all -SSLv2 -SSLv3
17
    SSLCipherSuite HIGH:!aNULL:!MD5
18

19
    <Directory /var/www/html>
20
        # 基于客户端证书的访问控制
21
        SSLRequire %{SSL_CLIENT_S_DN_CN} eq "client1" \
22
                or %{SSL_CLIENT_S_DN_CN} eq "client2"
23
    </Directory>
24
</VirtualHost>

Node.js配置#

1
const https = require('https');
2
const fs = require('fs');
3
const express = require('express');
4

5
const app = express();
6

7
// 配置选项
8
const options = {
9
    key: fs.readFileSync('server/server.key'),
10
    cert: fs.readFileSync('server/server.crt'),
11
    ca: fs.readFileSync('ca/ca.crt'),
12
    requestCert: true,
13
    rejectUnauthorized: true
14
};
15

16
// 中间件：验证客户端证书
17
app.use((req, res, next) => {
18
    const cert = req.socket.getPeerCertificate();
19

20
    if (req.client.authorized) {
21
        console.log(`Client CN: ${cert.subject.CN}`);
22
        next();
23
    } else {
24
        res.status(401).send('Client certificate required');
25
    }
26
});
27

28
app.get('/', (req, res) => {
29
    res.send('mTLS connection successful!');
30
});
31

32
https.createServer(options, app).listen(443, () => {
33
    console.log('Server running on https://localhost:443');
34
});

Cloudflare#

Cloudflare mTLS设置#

登录Cloudflare Dashboard#

访问 Cloudflare Dashboard
选择你的域名

配置SSL/TLS#

1
SSL/TLS → Overview:
2
  - 加密模式: Full (strict)
3

4
SSL/TLS → Client Certificates:
5
  1. 点击 "Create Certificate"
6
  2. 生成或上传客户端CA证书
7
  3. 配置证书参数:
8
     - Certificate name: "My mTLS CA"
9
     - Certificate: [粘贴ca.crt内容]
10
     - Private key: [保持为空，只需要公钥]

创建mTLS规则#

1
SSL/TLS → Client Certificates → Create mTLS Rule:
2
  名称: "Require Client Cert"
3

4
  如果传入请求匹配:
5
    - 主机名: example.com
6
    - URI路径: /api/*
7

8
  则:
9
    - 需要客户端证书: 开启
10
    - CA证书: "My mTLS CA"

使用Cloudflare API配置#

1
# 设置环境变量
2
export CF_EMAIL="your-email@example.com"
3
export CF_API_KEY="your-api-key"
4
export CF_ZONE_ID="your-zone-id"
5

6
# 上传客户端CA证书
7
curl -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/client_certificates" \
8
     -H "X-Auth-Email: $CF_EMAIL" \
9
     -H "X-Auth-Key: $CF_API_KEY" \
10
     -H "Content-Type: application/json" \
11
     --data '{
12
       "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
13
       "name": "My mTLS CA"
14
     }'
15

16
# 创建mTLS规则
17
curl -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/firewall/rules" \
18
     -H "X-Auth-Email: $CF_EMAIL" \
19
     -H "X-Auth-Key: $CF_API_KEY" \
20
     -H "Content-Type: application/json" \
21
     --data '{
22
       "filter": {
23
         "expression": "(http.host eq \"example.com\" and http.request.uri.path contains \"/api\")"
24
       },
25
       "action": "challenge",
26
       "products": ["waf"],
27
       "description": "Require client certificate for API"
28
     }'

Cloudflare Workers中验证mTLS#

1
addEventListener('fetch', event => {
2
  event.respondWith(handleRequest(event.request))
3
})
4

5
async function handleRequest(request) {
6
  // 获取客户端证书信息
7
  const tlsInfo = request.cf.tlsClientAuth
8

9
  if (!tlsInfo || !tlsInfo.certPresented) {
10
    return new Response('Client certificate required', { status: 401 })
11
  }
12

13
  // 验证证书信息
14
  if (tlsInfo.certVerified) {
15
    const certInfo = {
16
      subject: tlsInfo.certSubjectDN,
17
      issuer: tlsInfo.certIssuerDN,
18
      serial: tlsInfo.certSerial,
19
      notBefore: tlsInfo.certNotBefore,
20
      notAfter: tlsInfo.certNotAfter
21
    }
22

23
    // 基于证书信息的访问控制
24
    if (certInfo.subject.includes('CN=authorized-client')) {
25
      return new Response(JSON.stringify({
26
        message: 'Access granted',
27
        clientInfo: certInfo
28
      }), {
29
        headers: { 'Content-Type': 'application/json' }
30
      })
31
    }
32
  }
33

34
  return new Response('Unauthorized', { status: 403 })
35
}

客户端配置#

cURL测试#

1
# 基本测试
2
curl --cert client/client.crt \
3
     --key client/client.key \
4
     --cacert ca/ca.crt \
5
     https://example.com
6

7
# 详细调试
8
curl -v \
9
     --cert client/client.crt \
10
     --key client/client.key \
11
     --cacert ca/ca.crt \
12
     --resolve example.com:443:192.168.1.100 \
13
     https://example.com

Python客户端#

1
import requests
2
import ssl
3

4
# 配置客户端证书
5
cert = ('client/client.crt', 'client/client.key')
6
ca_cert = 'ca/ca.crt'
7

8
# 发送请求
9
response = requests.get(
10
    'https://example.com',
11
    cert=cert,
12
    verify=ca_cert
13
)
14

15
print(f"Status: {response.status_code}")
16
print(f"Response: {response.text}")
17

18
# 使用Session保持连接
19
session = requests.Session()
20
session.cert = cert
21
session.verify = ca_cert
22

23
# 多个请求
24
for i in range(5):
25
    resp = session.get(f'https://example.com/api/data/{i}')
26
    print(f"Request {i}: {resp.status_code}")

Node.js客户端#

1
const https = require('https');
2
const fs = require('fs');
3

4
const options = {
5
    hostname: 'example.com',
6
    port: 443,
7
    path: '/',
8
    method: 'GET',
9
    key: fs.readFileSync('client/client.key'),
10
    cert: fs.readFileSync('client/client.crt'),
11
    ca: fs.readFileSync('ca/ca.crt'),
12
    rejectUnauthorized: true
13
};
14

15
const req = https.request(options, (res) => {
16
    console.log(`Status: ${res.statusCode}`);
17

18
    res.on('data', (d) => {
19
        process.stdout.write(d);
20
    });
21
});
22

23
req.on('error', (e) => {
24
    console.error(e);
25
});
26

27
req.end();

浏览器配置#

Chrome/Edge#

1
# Windows
2
certutil -addstore -user Root ca/ca.crt
3
certutil -addstore -user My client/client.p12
4

5
# macOS
6
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ca/ca.crt
7
security import client/client.p12 -k ~/Library/Keychains/login.keychain -P 123456
8

9
# Linux
10
pk12util -i client/client.p12 -d sql:$HOME/.pki/nssdb -W 123456
11
certutil -A -n "MyCA" -t "TCu,Cu,Tu" -i ca/ca.crt -d sql:$HOME/.pki/nssdb

故障排查#

常见错误及解决方案#

证书验证失败

1
# 检查证书链
2
openssl verify -CAfile ca/ca.crt server/server.crt
3
openssl verify -CAfile ca/ca.crt client/client.crt
4

5
# 检查证书有效期
6
openssl x509 -in client/client.crt -noout -dates

SSL握手失败

1
# 测试SSL连接
2
openssl s_client -connect example.com:443 \
3
  -cert client/client.crt \
4
  -key client/client.key \
5
  -CAfile ca/ca.crt \
6
  -showcerts

权限问题

1
# 设置正确的文件权限
2
chmod 400 server/server.key
3
chmod 400 client/client.key
4
chmod 644 server/server.crt
5
chmod 644 client/client.crt
6
chmod 644 ca/ca.crt

日志分析#

Nginx日志#

1
http {
2
    log_format mtls '$remote_addr - $ssl_client_s_dn [$time_local] '
3
                     '"$request" $status $body_bytes_sent '
4
                     '"$http_user_agent" $ssl_protocol/$ssl_cipher';
5

6
    access_log /var/log/nginx/mtls_access.log mtls;
7
    error_log /var/log/nginx/mtls_error.log debug;
8
}

分析工具#

1
# 监控证书过期
2
#!/bin/bash
3
for cert in ~/mtls/**/*.crt; do
4
    echo "Checking $cert:"
5
    openssl x509 -in "$cert" -noout -enddate
6
done
7

8
# 自动续期脚本
9
#!/bin/bash
10
DAYS_BEFORE_EXPIRY=30
11
CERT_FILE="server/server.crt"
12

13
EXPIRY_DATE=$(openssl x509 -in $CERT_FILE -noout -enddate | cut -d= -f2)
14
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)
15
CURRENT_EPOCH=$(date +%s)
16
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))
17

18
if [ $DAYS_LEFT -lt $DAYS_BEFORE_EXPIRY ]; then
19
    echo "Certificate expires in $DAYS_LEFT days. Renewing..."
20
    # 执行续期命令
21
fi

实践#

监控和告警#

1
// 监控脚本示例
2
const checkCertificateExpiry = () => {
3
    const certPath = 'server/server.crt';
4
    const cert = fs.readFileSync(certPath);
5
    const x509 = new crypto.X509Certificate(cert);
6

7
    const expiryDate = new Date(x509.validTo);
8
    const daysUntilExpiry = Math.floor((expiryDate - Date.now()) / (1000 * 60 * 60 * 24));
9

10
    if (daysUntilExpiry < 30) {
11
        // 发送告警
12
        console.warn(`Certificate expires in ${daysUntilExpiry} days!`);
13
    }
14
};
15

16
// 每天检查一次
17
setInterval(checkCertificateExpiry, 24 * 60 * 60 * 1000);

说在最后#

~~我也不知道说什么~~最好中午弄,因为早晚会出事

The end Ciallo~