Description of problem: Due to the fact that Openshift terminates SSL connections at the node level and not at the gear level, SSL mutual authentication is impossible without additional user level controls to the node level Apache VirtualHost for a particular gear. This defect requests that these controls be re-exposed via the OSE admin console in the 'SSL Certificate' section of the administrator console. Openshift users need the ability to set SSLVerifyClient[1] to either 'optional' or 'required' for their particular gear. Having this control will cause the Apache proxy at the node to *request* from the client its x509 certificate. This certificate will then be inserted into a custom HTTP header argument (i.e. x-forwarded-ssl-client-cert) by the OSE Apache node level proxy. Code already exists in in Openshift[2] for the 'x-forwarded-ssl-client-cert', but it is a noop without the associated SSLVerifyClient mod_ssl directive. [1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient [2] https://github.com/openshift/origin-server/blob/master/plugins/frontend/apache-mod-rewrite/httpd/frontend-mod-rewrite-https-template.erb Version-Release number of selected component (if applicable): 1.2 and 2.0 How reproducible: always Steps to Reproduce: SSL mutual auth is impossible without the ability to set this variable. Expected results: SSL mutual auth is configurable per-gear.
Created a trello card for this feature (includes blocked bugs) - https://trello.com/c/m98XJLY1/140-request-and-validate-client-certificates The current way to implement this would be to install and configure the rubygem-openshift-origin-frontend-apache-vhost frontend on your nodes, which creates individual vhost confs in /var/lib/openshift/.httpd.d per gear. An administrator can then hand-edit these confs as desired, keeping in mind that they will be re-created from scratch (and thus changes lost) if the gear is moved.
I should also note that the apache-vhost frontend only covers the standard 80/443 ports - websockets ports at 8000/8443 and port-proxy ports aren't really amenable to hand-editing. So this workaround has a number of drawbacks.
*** Bug 1038857 has been marked as a duplicate of this bug. ***
*** Bug 1042924 has been marked as a duplicate of this bug. ***
Marking related bugs as duplicates. SSLVerifyDepth and SSLCACertificateFile would also need to be configurable as part of this solution.
This is now possible with OpenShift Enterprise 3.0. Simply create a Route via the API and set 'passthrough' TLS. The connection with be terminated by the Pod (or Gear in 2.x terminology). Certificates can be injected in to Pods through the Secrets API. https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html#passthrough-termination
*** Bug 1259223 has been marked as a duplicate of this bug. ***