Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Trusting all client certificates (still)

Be careful of terminology.

SslContextFactory is used by jetty-client and websocket-client as well to setup their client side (initiated) connections over SSL as well.
It is in those contexts where SslContextFactory.setTrustAll(true) makes sense.

With SslContextFactory being used on the server / servlet side, that configuration doesn't make much sense.

With client certificates talking to a server with its own certificates, it sounds like what you are looking for is the ability to disable the client certificate validation steps.  Not sure that exists.

If something like that existed, then even the revoked status of the client certificate wouldn't even be performed.
Not even sure how the SSL connection would establish itself, as the exchange of keys would potentially even be interrupted with that sort of non-validation.

Hopefully someone with more intimate details of the Client Certificates could shed some light on this.


--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Expert advice, services and support from from the Jetty & CometD experts

On Thu, Jan 29, 2015 at 8:43 AM, Pascal Mainini <pascal.mainini@xxxxxx> wrote:
Hi there

I ran into a couple of questions while trying to get (completly
arbitrary) client certificates running in Jetty (9.2.6.v20141205).

While browsing through the source, I've stumbled upon the
setTrustAll-method[1] of SSLContextFactory which initially looked just
like what I needed. My plan was then to use this method after creation
of the SSLContextFactory used to configure a ServerConnector.
Later though, I realised that the trustAll-functionality only gets
applied when there is no Keystore and no Truststore (as stated also in
the docs, I realized...;-).

My first question then would be: what's the usecase behind? Does it at
all make sense to initialise an SSLContextFactory without any
certificates or did I get something completly wrong?

While doing further research, I've stumbled upon a message on this
mailinglist[2], where someone seems to have similar troubles. However, I
couldn't find any follow-up answering his questions...?

So, my most important question would be: is there any "official" way to
set up jetty (programmatically!) to accept any client certificates in
order to be able to read them out in a servlet for instance?

As a side note: I noticed that the list of acceptable client certificate
CAs sent to the client during SSL-connection is either the server
certificate itself, if no truststore given, or the certificates from the
truststore otherwise. Giving an empty (!) truststore to Jetty
effectively sends an empty list of acceptable ca-certs to the client,
however this then ends up in an exception deep down in JAVA's SSL code.
Could that be a hint to problems in allowing all client certificates?

And, finally, as a second side note: I'll actually be using Jetty as
Jetty-Service within the Felix OSGi-environment, so if anyone is
familiar with the same issues in that environment, a pointer would be
highly appreciated. I'm aware that this is totally unrelated to this
mailinglist, though.

Many thanks in advance and kind regards!

Pascal

[1]
http://download.eclipse.org/jetty/stable-9/xref/org/eclipse/jetty/util/ssl/SslContextFactory.html#757
[2] http://dev.eclipse.org/mhonarc/lists/jetty-users/msg03039.html

--
Bern University of Applied Sciences
Biel, Switzerland
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


Back to the top