Hi,
> the code is in the attachment.
> It is working without the Client Authentication (so if
> SSLReadFilter.setNeedClientAuth(false) set), but I"d like to have the
> clients Principal.
>
Ok, I've just tested the sources, seems that SSLReadFilter, in your
case, fails because it can not retrieve peer certificate chain from
your browser (probably you don't have any).
So handshake process fails. And if you use own SSLFilter - you just
ignore the fact, that handshake failed and try to deal with invalid
SSLEngine.
Quick solution here would be to add some client certificate to
browser. For example in Firefox [1].
For testing reasons you can use existing serverkey.jks certificate to
import to Firefox, but first you need to convert it to PCKS12 format
[2].
Once you imported the certificate [1], run the test and access
https://localhost:1080
- browser will ask you to provide valid certificate, just chose the
one you just imported - it should work.
So, basically I think SSLFilter is not required, SSLReadFilter is
enough.
Thanks.
WBR,
Alexey.
[1] Preferences->Advanced->Encryption->View Certificates->Your
certificates->Import
[2] keytool -importkeystore -srckeystore ./serverkey.jks -destkeystore
truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
123456 -deststorepass 123456 -srcalias testssl -destalias testssl
> thank you,
> alaska
>
> http://www.nabble.com/file/p25133655/GrizzlySSL-clientAuth.zip
> GrizzlySSL-clientAuth.zip
>
>
>
>
> Oleksiy Stashok wrote:
>>
>> Hi,
>>
>> can you pls. send the sources, I'll try to reproduce the issue and
>> see
>> if I can help there.
>>
>> Thanks.
>>
>> WBR,
>> Alexey.
>>
>> On Aug 25, 2009, at 12:30 , Alaska wrote:
>>
>>>
>>> Hello!
>>>
>>> My goal is to implement the SSL Layer that is able to get the Client
>>> authentication.
>>> The client certificate is stored in the browser.
>>>
>>> Do you have any ideas why it is not working?
>>>
>>> I get the following error message:
>>>
>>>
>>> Aug 25, 2009 12:20:11 PM com.sun.grizzly.Controller start
>>> INFO: Starting Grizzly Framework 1.9.18-M1 - Tue Aug 25 12:20:11
>>> CEST 2009
>>> SSLFilter isNeedClientAuth true
>>> Aug 25, 2009 12:20:17 PM com.sun.grizzly.DefaultProtocolChain
>>> executeProtocolFilter
>>> SEVERE: ProtocolChain exception
>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>> at
>>> com
>>> .sun
>>> .net
>>> .ssl
>>> .internal
>>> .ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:
>>> 352)
>>>
>>> thank you,
>>> alaska
>>> ++++++++++++++++++++++++++++
>>>
>>> the SSLReadFilter is doing:
>>>
>>>
>>> public class SSLFilter extends SSLReadFilter {
>>>
>>> public static Logger logger =
>>> Logger.getLogger(SSLFilter.class.getName());
>>>
>>> public SSLFilter() {
>>> super();
>>>
>>> }
>>> public boolean execute(Context context) throws IOException {
>>>
>>> SSLSession session;
>>>
>>> this.setClientMode(false);
>>> this.setNeedClientAuth(true);
>>>
>>> super.execute(context);
>>>
>>> say("isNeedClientAUth " + this.isNeedClientAuth());
>>>
>>> WorkerThread workerThread = (WorkerThread)
>>> Thread.currentThread();
>>> SelectionKey selectionKey = context.getSelectionKey();
>>> SSLEngine sslEngine = workerThread.getSSLEngine();
>>>
>>> session = sslEngine.getSession();
>>>
>>> say("sslengine host " + sslEngine.getPeerHost());
>>> say("port " + sslEngine.getPeerPort());
>>> say("need auth? " + sslEngine.getNeedClientAuth());
>>>
>>>
>>> X509Certificate[] cert = (X509Certificate[])
>>> session.getPeerCertificates();
>>>
>>> Principal subject = cert[0].getSubjectDN();
>>>
>>> return true;
>>> }
>>> postexecute(){
>>> ...
>>> }
>>> }
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25131956.html
>>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25133655.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>