Re: [jetty-users] Choose Certificate dialog

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Choose Certificate dialog

From: Christoph Läubrich <laeubi@xxxxxxxxxxxxxx>
Date: Tue, 24 Mar 2015 06:38:35 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20121215 Iceowl/1.0b1 Icedove/3.0.11

I use a similar setup and noticed that it is important that the keystore contains at least one certificate the user owns. Otherwise the Browser (firefox) never offers me the client-selection box.
The reason for this is that the server advertise a list of "certificate-names" he will accept, if none in the list matches any certificate on the client side the browser seems to decide that it can't fullfill the request.

Have you tried with needClientAuth = true?

Beside thsi it is very helpfull to enable ssl debug in the JVM to see what might goes wrong.

Am 23.03.2015 11:20, schrieb Espen Schulstad:

Hi, I have configured my app to be secured by x509 certificates, but can't get the "choose certificate prompt" to be shown in the browser. This works out of the box in tomcat.

In tomcat the configuration looks like this:

<Connector port="8081" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"

clientAuth="want" sslProtocol="TLS"

keystoreFile="keystore"

keystorePass="password" />

When going on the port I am prompted with a ssl renegotiation (asking what certificate I want to use).

Configuring the same thing in jetty

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

<Set name="KeyStorePath">

<Property name="jetty.keystore" default="keystore"/>

</Set>

<Set name="KeyStorePassword">

<Property name="jetty.keystore.password" default="password"/>

</Set>

<Set name="NeedClientAuth">

<Property name="jetty.ssl.needClientAuth" default="false"/>

</Set>

<Set name="WantClientAuth">

<Property name="jetty.ssl.wantClientAuth" default="true"/>

</Set>

<Set name="EndpointIdentificationAlgorithm"/>

<Set name="ExcludeCipherSuites">

<Array type="String">

<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>

<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>

<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>

<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>

<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>

<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>

</Array>

</Set>

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">

<Arg>

<Ref refid="httpConfig"/>

</Arg>

<Call name="addCustomizer">

<Arg>

<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>

</Arg>

</Call>

</New>

</New>

Gives me 403..

Please help me, Obi-wan-Kenobi, or else I'll have to use the tomcat solution.

Regards, Espen
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

References:
- [jetty-users] Choose Certificate dialog
  - From: Espen Schulstad

Prev by Date: [jetty-users] Choose Certificate dialog
Next by Date: [jetty-users] Jetty 9.3 negotiating to HTTP/1.1 instead of HTTP/2.0
Previous by thread: [jetty-users] Choose Certificate dialog
Next by thread: [jetty-users] Jetty 9.3 negotiating to HTTP/1.1 instead of HTTP/2.0
Index(es):
- Date
- Thread

Breadcrumbs