2 Replies Latest reply on Feb 20, 2014 3:55 PM by lbonco

    Undertow TLS client authentication

    dfisher
    dfisher Feb 20, 2014 3:59 PM

      I've configured a security realm for my https-listener like so:

       

                  <security-realm name="HTTPSRealm">

                      <server-identities>

                          <ssl>

                              <keystore alias="server" path="/path/to/my.keystore" keystore-password="changeit" />

                          </ssl>

                      </server-identities>

                      <authentication>

                          <truststore path="/path/to/my.truststore" keystore-password="changeit" />

                      </authentication>

                  </security-realm>

       

      However, undertow always presents an empty list of certificate authorities:

       

      *** CertificateRequest

      Cert Types: RSA, DSS, ECDSA

      Cert Authorities:

      <Empty>

      *** ServerHelloDone

       

      Schema documentation indicates that the <authentication/> element is the correct way to setup the server trust manager.

      Does anyone see an issue with this configuration?

       

      My https listener configuration looks like:

       

      <https-listener name="default-https" socket-binding="https" security-realm="HTTPSRealm" verify-client="REQUESTED"/>

        • 1. Re: Undertow TLS client authentication
          ctomc
          ctomc Feb 20, 2014 10:08 AM (in response to dfisher)

          What is your https-listener configuration?

            • Actions
          • 2. Re: Undertow TLS client authentication
            lbonco
            lbonco Feb 20, 2014 3:55 PM (in response to ctomc)

            Hi,

            I have the same problem, this is my https-listener configuration:

             

            <server name="default-server">

              <ajp-listener name="ajp-connector" socket-binding="ajp"/>

              <http-listener name="default" socket-binding="http"/>

              <https-listener name="defaultssl" socket-binding="https" security-realm="UndertowRealm" verify-client="REQUIRED"/>

              <host name="default-host" alias="localhost">

              <location name="/" handler="welcome-content"/>

              <filter-ref name="server-header"/>

              <filter-ref name="x-powered-by-header"/>

              </host>

            </server>

             

            I have also another issue, if  I use my default trustore, in my case with 175 certificate, I can't finish SSL handshake, with curl I get only this:

             

            curl -vvvv -k https://....

            * Hostname was NOT found in DNS cache

            *   Trying 10.150.190.202...

            * Connected to host00.svil.bol (10.150.190.202) port 8022 (#0)

            * successfully set certificate verify locations:

            *   CAfile: none

              CApath: /etc/ssl/certs

            * SSLv3, TLS handshake, Client hello (1):

             

            In the log I found that the message "*** ServerHelloDone" was written before the end of the write buffer.

             

            2014-02-20 00:22:03,590 INFO  [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Handshake, length = 16384

            2014-02-20 00:22:03,590 INFO  [stdout] (default I/O-1) *** ServerHelloDone

            2014-02-20 00:22:03,591 INFO  [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Handshake, length = 6170

              • Actions