Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds support for mTLS by changing two things:
ca
andrequestCert: true
parameters for the server when in use.event.identity.clientCert
object when new requests come in.Both of these behaviours only activate if you have a
httpsProtocol
directory configured in the serverless offline config, and have put aca.pem
file in it alongside thekey.pem
andcert.pem
files.Motivation and Context
We use mTLS in our environment with API Gateway and want a way to test this locally. Serverless Offline doesn't currently support mTLS (#1730), so we figured it'd be nice to add support for it so we can use Serverless Offline to more fully emulate our AWS setup.
How Has This Been Tested?
You'll need to create some files to test this
Creating a Certificate Authority (CA)
ca.key
):$ openssl genrsa -out ca.key 4096
ca.pem
):Creating a Certificate for the Server
key.pem
):$ openssl genrsa -out key.pem 4096
server.csr
):cert.pem
):Creating a Certificate for the Client
client.key
):$ openssl genrsa -out client.key 4096
client.csr
):client.pem
):Now you should have the following files:
Create a Node JS client passing the
ca.pem
,client.key
andclient.pem
parameters as follows:Screenshots (if appropriate):
This results in the following event being sent to the handler:
I've also tested without the
ca.pem
file in the directory to make sure nothing breaks / changes, and it worked fine for me.