[jetty-dev] Trusting all client certificates (still)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Trusting all client certificates (still)

From: Pascal Mainini <pascal.mainini@xxxxxx>
Date: Thu, 29 Jan 2015 16:43:25 +0100
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: NULL

Hi there

I ran into a couple of questions while trying to get (completly
arbitrary) client certificates running in Jetty (9.2.6.v20141205).

While browsing through the source, I've stumbled upon the
setTrustAll-method[1] of SSLContextFactory which initially looked just
like what I needed. My plan was then to use this method after creation
of the SSLContextFactory used to configure a ServerConnector.
Later though, I realised that the trustAll-functionality only gets
applied when there is no Keystore and no Truststore (as stated also in
the docs, I realized...;-).

My first question then would be: what's the usecase behind? Does it at
all make sense to initialise an SSLContextFactory without any
certificates or did I get something completly wrong?

While doing further research, I've stumbled upon a message on this
mailinglist[2], where someone seems to have similar troubles. However, I
couldn't find any follow-up answering his questions...?

So, my most important question would be: is there any "official" way to
set up jetty (programmatically!) to accept any client certificates in
order to be able to read them out in a servlet for instance?

As a side note: I noticed that the list of acceptable client certificate
CAs sent to the client during SSL-connection is either the server
certificate itself, if no truststore given, or the certificates from the
truststore otherwise. Giving an empty (!) truststore to Jetty
effectively sends an empty list of acceptable ca-certs to the client,
however this then ends up in an exception deep down in JAVA's SSL code.
Could that be a hint to problems in allowing all client certificates?

And, finally, as a second side note: I'll actually be using Jetty as
Jetty-Service within the Felix OSGi-environment, so if anyone is
familiar with the same issues in that environment, a pointer would be
highly appreciated. I'm aware that this is totally unrelated to this
mailinglist, though.

Many thanks in advance and kind regards!

Pascal

[1]
http://download.eclipse.org/jetty/stable-9/xref/org/eclipse/jetty/util/ssl/SslContextFactory.html#757
[2] http://dev.eclipse.org/mhonarc/lists/jetty-users/msg03039.html

-- 
Bern University of Applied Sciences
Biel, Switzerland

Follow-Ups:
- Re: [jetty-dev] Trusting all client certificates (still)
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-dev] Bug in jetty 9.x
Next by Date: Re: [jetty-dev] Trusting all client certificates (still)
Previous by thread: [jetty-dev] Bug in jetty 9.x
Next by thread: Re: [jetty-dev] Trusting all client certificates (still)
Index(es):
- Date
- Thread

Breadcrumbs