On a server to server SSL connection is there any trustable information identifying the calling server?



  • Imagine server A calling server B over SSL and that both servers have SSL certificates installed.

    Later server A again calls server B.

    Is there a way for server B to know that server A is the same server in both calls without a client certificate?

    In my application I issue a shared security token in the first call. But in the second call I would like to know that the security token hasn't been copied to and is now sent from a third party C, so I'd like to add an additional check that A is still A (not necessarily the same physical server but it has the 'A' SSL certificate installed). I cannot enforce the use of client certificates. I cannot rely on the IP address because they are volatile.

    As far as I understand I can get the server A hostname from the [EDIT: encrypted HTTP] header. But I suspect an attacker could spoof the hostname and just insert HTTP host header 'A' even though it is C?

    I also suspect that the calling server A isn't using its server certificate when establishing a connection to server B?

    I would like to hear if I am wrong in my assumptions and / or if anyone has any suggestions other than using a client certificate

    P.S. A solution could be that B could call back to A over SSL and ask if A just posed a question, but that's rather involved and I'd like to avoid such a step.



  • What you are talking about is called authentication: A needs to prove that it is really A.

    One of authentication methods can be authentication based on client certificate (when A want to use some service of B, the we say that A is a client of B).

    Another method, much simpler, can be usual User/password authentication. The services that B provides should require authentication. All possible clients should be known to B, e.g. should be contained in some registry or database on B, so that B can check if particular user is known and that the password is valid.

    If there are more clients that can call services of B, every client should get its own user/password.

    Thus, when B receives some request, it checks credentials and, if check was successful, executes the requested operation, otherwise returns some error.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2