Hi Alaska,
your client certificate doesn't work to me neither. Here is the one I
created first time, which works for me.
Thanks.
WBR,
Alexey.
On Aug 28, 2009, at 13:16 , Alaska wrote:
>
> hello Alexey,
>
> the client certificate is stored in the browser and I replaced my
> SSLFilter
> with the SSLReadFilter,
> but it unfortunately didn"t solve the problem.
>
> the output on the console is:
> run:
> truststore file has been set
> keystoreUrl file has been set
> Aug 28, 2009 12:49:30 PM com.sun.grizzly.Controller start
> INFO: Starting Grizzly Framework 1.9.18-M1 - Fri Aug 28 12:49:30
> CEST 2009
>
> I generated a CA, server and client certificate also and stored ca
> and the
> client certificate in the browser, but it doesn"t help... I have
> still the
> same problem.
>
> In attachment you can find:
> 1. The code with approach you suggested for testing.
> 2. the code with ca, server and client cert.
>
> thank you,
>
> alaska http://www.nabble.com/file/p25188152/GrizzlySSL1.zip
> GrizzlySSL1.zip
>
> http://www.nabble.com/file/p25188152/GrizzlySSL2.zip GrizzlySSL2.zip
>
>
> Oleksiy Stashok wrote:
>>
>> Hi,
>>> the code is in the attachment.
>>> It is working without the Client Authentication (so if
>>> SSLReadFilter.setNeedClientAuth(false) set), but I"d like to have
>>> the
>>> clients Principal.
>>>
>> Ok, I've just tested the sources, seems that SSLReadFilter, in your
>> case, fails because it can not retrieve peer certificate chain from
>> your browser (probably you don't have any).
>> So handshake process fails. And if you use own SSLFilter - you just
>> ignore the fact, that handshake failed and try to deal with invalid
>> SSLEngine.
>>
>> Quick solution here would be to add some client certificate to
>> browser. For example in Firefox [1].
>> For testing reasons you can use existing serverkey.jks certificate to
>> import to Firefox, but first you need to convert it to PCKS12 format
>> [2].
>>
>> Once you imported the certificate [1], run the test and access
>> https://localhost:1080
>> - browser will ask you to provide valid certificate, just chose the
>> one you just imported - it should work.
>>
>> So, basically I think SSLFilter is not required, SSLReadFilter is
>> enough.
>>
>> Thanks.
>>
>> WBR,
>> Alexey.
>>
>>
>> [1] Preferences->Advanced->Encryption->View Certificates->Your
>> certificates->Import
>> [2] keytool -importkeystore -srckeystore ./serverkey.jks -
>> destkeystore
>> truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
>> 123456 -deststorepass 123456 -srcalias testssl -destalias testssl
>>
>>> thank you,
>>> alaska
>>>
>>> http://www.nabble.com/file/p25133655/GrizzlySSL-clientAuth.zip
>>> GrizzlySSL-clientAuth.zip
>>>
>>>
>>>
>>>
>>> Oleksiy Stashok wrote:
>>>>
>>>> Hi,
>>>>
>>>> can you pls. send the sources, I'll try to reproduce the issue and
>>>> see
>>>> if I can help there.
>>>>
>>>> Thanks.
>>>>
>>>> WBR,
>>>> Alexey.
>>>>
>>>> On Aug 25, 2009, at 12:30 , Alaska wrote:
>>>>
>>>>>
>>>>> Hello!
>>>>>
>>>>> My goal is to implement the SSL Layer that is able to get the
>>>>> Client
>>>>> authentication.
>>>>> The client certificate is stored in the browser.
>>>>>
>>>>> Do you have any ideas why it is not working?
>>>>>
>>>>> I get the following error message:
>>>>>
>>>>>
>>>>> Aug 25, 2009 12:20:11 PM com.sun.grizzly.Controller start
>>>>> INFO: Starting Grizzly Framework 1.9.18-M1 - Tue Aug 25 12:20:11
>>>>> CEST 2009
>>>>> SSLFilter isNeedClientAuth true
>>>>> Aug 25, 2009 12:20:17 PM com.sun.grizzly.DefaultProtocolChain
>>>>> executeProtocolFilter
>>>>> SEVERE: ProtocolChain exception
>>>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>> com
>>>>> .sun
>>>>> .net
>>>>> .ssl
>>>>> .internal
>>>>> .ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:
>>>>> 352)
>>>>>
>>>>> thank you,
>>>>> alaska
>>>>> ++++++++++++++++++++++++++++
>>>>>
>>>>> the SSLReadFilter is doing:
>>>>>
>>>>>
>>>>> public class SSLFilter extends SSLReadFilter {
>>>>>
>>>>> public static Logger logger =
>>>>> Logger.getLogger(SSLFilter.class.getName());
>>>>>
>>>>> public SSLFilter() {
>>>>> super();
>>>>>
>>>>> }
>>>>> public boolean execute(Context context) throws IOException {
>>>>>
>>>>> SSLSession session;
>>>>>
>>>>> this.setClientMode(false);
>>>>> this.setNeedClientAuth(true);
>>>>>
>>>>> super.execute(context);
>>>>>
>>>>> say("isNeedClientAUth " + this.isNeedClientAuth());
>>>>>
>>>>> WorkerThread workerThread = (WorkerThread)
>>>>> Thread.currentThread();
>>>>> SelectionKey selectionKey = context.getSelectionKey();
>>>>> SSLEngine sslEngine = workerThread.getSSLEngine();
>>>>>
>>>>> session = sslEngine.getSession();
>>>>>
>>>>> say("sslengine host " + sslEngine.getPeerHost());
>>>>> say("port " + sslEngine.getPeerPort());
>>>>> say("need auth? " + sslEngine.getNeedClientAuth());
>>>>>
>>>>>
>>>>> X509Certificate[] cert = (X509Certificate[])
>>>>> session.getPeerCertificates();
>>>>>
>>>>> Principal subject = cert[0].getSubjectDN();
>>>>>
>>>>> return true;
>>>>> }
>>>>> postexecute(){
>>>>> ...
>>>>> }
>>>>> }
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25131956.html
>>>>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25133655.html
>>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25188152.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>