[jetty-users] How to configure client certificate for mutual SSL auth wi

[Wenlong Dong <wdong87@xxxxxxxxx>]

Hi, I am new to Jetty. I was able to get SSL to work with Jetty (9.2.5.v20141112). However, if I enable client-auth, I always got the following error from the client side:

Caused by: java.io.EOFException: HttpConnectionOverHTTP@75cc9008(l:/127.0.0.1:58655 <-> r:localhost/127.0.0.1:8443) 
        at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.earlyEOF(HttpReceiverOverHTTP.java:267) 
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1312) 
        at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.shutdown(HttpReceiverOverHTTP.java:170) 
        ... 
By configuring it with client-auth, I did the following on the server-side: 
        sslContextFactory.setNeedClientAuth(true); 
And here is my client-side code: 
        SslContextFactory sslContextFactory = new SslContextFactory(); 
        sslContextFactory.setKeyStorePath(<store path>); 
        sslContextFactory.setNeedClientAuth(true); 
        sslContextFactory.setKeyStorePassword(<password>); 
        sslContextFactory.setCertAlias(<client alias>); 
        sslContextFactory.setEndpointIdentificationAlgorithm("HTTPS"); 

        SSLContext context = SSLContext.getInstance("TLS"); 
        context.init(null, new TrustManager[] { new TrustAllX509TrustManager() }, new SecureRandom()); 
        SSLEngine engine = context.createSSLEngine(); 
        engine.setNeedClientAuth(sslContextFactory.getNeedClientAuth()); 
        engine.setEnabledCipherSuites(engine.getSupportedCipherSuites()); 
        engine.setEnabledProtocols(engine.getSupportedProtocols()); 

        sslContextFactory.setSslContext(context); 
        sslContextFactory.setEndpointIdentificationAlgorithm(null); 

        HttpClient httpClient = new HttpClient(sslContextFactory); 
        httpClient.setMaxConnectionsPerDestination(2); 
        httpClient.setMaxRequestsQueuedPerDestination(2); 
        httpClient.setIdleTimeout(180000); 
        httpClient.start(); 

        InputStreamResponseListener listener = new InputStreamResponseListener(102400) 
        { 
            @Override 
            public void onContent(Response response, ByteBuffer content) 
            { 
                // ignore empty blocks 
                if (content.remaining() == 0) { 
                    return; 
                } 
                super.onContent(response, content); 
            } 
        }; 

        HttpRequest jettyRequest = (HttpRequest) httpClient.newRequest("https://localhost:8443/test1"); 
        jettyRequest.method("GET"); 
        jettyRequest.send(listener); 

        Response response = listener.get(httpClient.getIdleTimeout(), TimeUnit.MILLISECONDS); 
        int status = response.getStatus(); 
        System.out.println(String.format("Got response status: %d", status)); 
        InputStream inputStream = listener.getInputStream(); 

        // Process the response 
        BufferedReader reader; 
        String line = null; 
        reader = new BufferedReader( new InputStreamReader( inputStream ) ); 
        while( ( line = reader.readLine() ) != null ) 
        { 
            System.out.println( line ); 
        } 

        inputStream.close(); 

If I replace setNeedClientAuth with setWantClientAuth, I did not see the client cert from the server-side. What has I done wrong here please? Thanks!