Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Propagating SSL errors to the application
I can't log in to file the bug? 
On Mar 14, 2013, at 6:19 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:

That does help.

It would be wise to file a bug asking for the ability to use SSL renegotiation to allow application logic to provide a custom HTTP response.


--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Developer advice, services and support
from the Jetty & CometD experts


On Thu, Mar 14, 2013 at 10:16 AM, Juan Calero <j.calero@xxxxxxxxxxxxx> wrote:
*
I resolved that in Tomcat changing the SSL renegotiation handshake option from Required to Optional. Unfortunately, this was not an option or parameter, so I had to override some classes involved in SSL renegotiation
This way, if the client didn't have any certificate (or he cancelled certificate selection) I still could get the request and control that case (redirecting to a custom page, etc.)

I tried somethig similar in Jetty 9, but AFAIK SSL renegotiation is not implemented.
I tried adding a new SSL handshake in ClientCertAuthenticator and it works (calling SSLEngine.setWantClientAuth(true) and SSLEngine.beginHandshake), but the renegotiation is not working right and fails half of the times. I explained it here:
http://dev.eclipse.org/mhonarc/lists/jetty-users/msg03093.html

Hope it helps.

*
El 14/03/2013 17:53, Joakim Erdfelt escribió:
That would be a bit tough...

As you need to establish a proper SSL connection in order to even talk HTTP.
If the SSL connection fails, there's no HTTP exchange, hence no way to respond.

--
Joakim Erdfelt <joakim@xxxxxxxxxxx <mailto:joakim@xxxxxxxxxxx>>


On Thu, Mar 14, 2013 at 9:49 AM, Maarten Koopmans <maarten@xxxxxxxxxxxx <mailto:maarten@xxxxxxxxxxxx>> wrote:

    Hi,

    I have a SSL-protected application (client certificates) in Jetty
    8, where I do some custom logic with client certificates from the
    application layer.

    Is there a way to propagate and catch the errors like SSL
    handshakes etc. to the application/war, so I can provide
    user-friendly feedback to my end users?

    A typical error case:
    1- REST client tries to connect with client certificate
    2- SSL error, say we don't have the CA in our trust chain
    3- blurb follows

    I'd like to catch 2 so I can "massage" 3. Is there a way to write
    a filter/handler/whatnot/... to do this.

    Any thoughts, pointers our feedback greatly appreciated!

    Thanks,

    Maarten



    _______________________________________________
    jetty-users mailing list
    jetty-users@xxxxxxxxxxx <mailto:jetty-users@eclipse.org>
    https://dev.eclipse.org/mailman/listinfo/jetty-users





_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Back to the top