Using mTLS to connect to S3 using Java or .NET AWS S3 SDK
Here is how you setup an mTLS connection to Minio S3 using a TLS client certificate.
Even though AWS S3 doesn’t support mTLS out-of-the-box so you can still setup client certificate authentication when connecting to S3 over TLS if you have such a security requirement. If you use AWS S3 you will need to block public access to your account to make sure external client applications only can access your S3 accounts over certain IPs. For this example I will use Minio S3, a popular open-source object storage that is compatible with AWS S3. I will also use Nginx as an edge proxy to terminate the mTLS connection, but you can use HAProxy or Envoy as well if you like or have the know-how. You can also setup Nginx as a mTLS sidecar proxy if this is a pattern that fits you better. The concept should be transferable.
If you are like me and just want to skip right to the code just grab my Java code or .Net code on Github and have a look.
First of all, why do you want to do this? The reason you want to use mTLS is to allow a much stronger security then any other authentication mechanisms can provide. A TLS client certificate is the only measure that fully guarantees confidentiality and integrity according to the CIA triad. mTLS therefor allows you to transfer highly sensitive information over an insecure network connection. (see: fig.)
To generate your own certificates and private keys you can follow the “Client-side certificate authentication with nginx” guide. To create your Java identity and trust store you can follow the “Java mutual SSL authentication / 2-way SSL authentication” guide. If you don’t bother with that and only are interested in the Java code, just look at my code example and use my generated certificates and trust stores for your testing.
The first we will do is install Minio S3. Just head over to “MinIO Quickstart Guide” and you should be up and running within 5 minutes. Then follow the “Dev Dungeon — Nginx Tutorial” guide and install nginx.
Git clone my aws-s3-mtls-nginx-mini repository if you are interested in the Java solution.
Git clonet my aws-s3-mtls-nginx-minio-net repository if you are interested in the .NET solution
Follow the instructions under “Setup NginX as a mTLS proxy”. Change the Nginx minio config file so that it reflects the location of the certificates and certificate chain ca file that you find under my generated certificates and trust stores or generate your own using the tutorials above. Once you have all that setup you should be able to run the mTLS JUnit tests that I have written.
What the Java code does is basically these lines of code:
What the .NET code does is basically these lines of code:
