users@grizzly.java.net

Re: Client authentication via SSL

From: Alaska <bagirin_at_gmx.de>
Date: Fri, 28 Aug 2009 07:05:58 -0700 (PDT)

Hello Alexey,

it is working now!

thank you for your help,

alaska




Oleksiy Stashok wrote:
>
> Hi,
>> the code is in the attachment.
>> It is working without the Client Authentication (so if
>> SSLReadFilter.setNeedClientAuth(false) set), but I"d like to have the
>> clients Principal.
>>
> Ok, I've just tested the sources, seems that SSLReadFilter, in your
> case, fails because it can not retrieve peer certificate chain from
> your browser (probably you don't have any).
> So handshake process fails. And if you use own SSLFilter - you just
> ignore the fact, that handshake failed and try to deal with invalid
> SSLEngine.
>
> Quick solution here would be to add some client certificate to
> browser. For example in Firefox [1].
> For testing reasons you can use existing serverkey.jks certificate to
> import to Firefox, but first you need to convert it to PCKS12 format
> [2].
>
> Once you imported the certificate [1], run the test and access
> https://localhost:1080
> - browser will ask you to provide valid certificate, just chose the
> one you just imported - it should work.
>
> So, basically I think SSLFilter is not required, SSLReadFilter is
> enough.
>
> Thanks.
>
> WBR,
> Alexey.
>
>
> [1] Preferences->Advanced->Encryption->View Certificates->Your
> certificates->Import
> [2] keytool -importkeystore -srckeystore ./serverkey.jks -destkeystore
> truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
> 123456 -deststorepass 123456 -srcalias testssl -destalias testssl
>
>> thank you,
>> alaska
>>
>> http://www.nabble.com/file/p25133655/GrizzlySSL-clientAuth.zip
>> GrizzlySSL-clientAuth.zip
>>
>>
>>
>>
>> Oleksiy Stashok wrote:
>>>
>>> Hi,
>>>
>>> can you pls. send the sources, I'll try to reproduce the issue and
>>> see
>>> if I can help there.
>>>
>>> Thanks.
>>>
>>> WBR,
>>> Alexey.
>>>
>>> On Aug 25, 2009, at 12:30 , Alaska wrote:
>>>
>>>>
>>>> Hello!
>>>>
>>>> My goal is to implement the SSL Layer that is able to get the Client
>>>> authentication.
>>>> The client certificate is stored in the browser.
>>>>
>>>> Do you have any ideas why it is not working?
>>>>
>>>> I get the following error message:
>>>>
>>>>
>>>> Aug 25, 2009 12:20:11 PM com.sun.grizzly.Controller start
>>>> INFO: Starting Grizzly Framework 1.9.18-M1 - Tue Aug 25 12:20:11
>>>> CEST 2009
>>>> SSLFilter isNeedClientAuth true
>>>> Aug 25, 2009 12:20:17 PM com.sun.grizzly.DefaultProtocolChain
>>>> executeProtocolFilter
>>>> SEVERE: ProtocolChain exception
>>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>> at
>>>> com
>>>> .sun
>>>> .net
>>>> .ssl
>>>> .internal
>>>> .ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:
>>>> 352)
>>>>
>>>> thank you,
>>>> alaska
>>>> ++++++++++++++++++++++++++++
>>>>
>>>> the SSLReadFilter is doing:
>>>>
>>>>
>>>> public class SSLFilter extends SSLReadFilter {
>>>>
>>>> public static Logger logger =
>>>> Logger.getLogger(SSLFilter.class.getName());
>>>>
>>>> public SSLFilter() {
>>>> super();
>>>>
>>>> }
>>>> public boolean execute(Context context) throws IOException {
>>>>
>>>> SSLSession session;
>>>>
>>>> this.setClientMode(false);
>>>> this.setNeedClientAuth(true);
>>>>
>>>> super.execute(context);
>>>>
>>>> say("isNeedClientAUth " + this.isNeedClientAuth());
>>>>
>>>> WorkerThread workerThread = (WorkerThread)
>>>> Thread.currentThread();
>>>> SelectionKey selectionKey = context.getSelectionKey();
>>>> SSLEngine sslEngine = workerThread.getSSLEngine();
>>>>
>>>> session = sslEngine.getSession();
>>>>
>>>> say("sslengine host " + sslEngine.getPeerHost());
>>>> say("port " + sslEngine.getPeerPort());
>>>> say("need auth? " + sslEngine.getNeedClientAuth());
>>>>
>>>>
>>>> X509Certificate[] cert = (X509Certificate[])
>>>> session.getPeerCertificates();
>>>>
>>>> Principal subject = cert[0].getSubjectDN();
>>>>
>>>> return true;
>>>> }
>>>> postexecute(){
>>>> ...
>>>> }
>>>> }
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25131956.html
>>>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25133655.html
>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>
>
>

-- 
View this message in context: http://www.nabble.com/Client-authentication-via-SSL-tp25131956p25190535.html
Sent from the Grizzly - Users mailing list archive at Nabble.com.