2 Replies Latest reply on Feb 20, 2014 3:55 PM by Luca Boncompagni

    Undertow TLS client authentication

    dfisher Newbie

      I've configured a security realm for my https-listener like so:


                  <security-realm name="HTTPSRealm">



                              <keystore alias="server" path="/path/to/my.keystore" keystore-password="changeit" />




                          <truststore path="/path/to/my.truststore" keystore-password="changeit" />




      However, undertow always presents an empty list of certificate authorities:


      *** CertificateRequest

      Cert Types: RSA, DSS, ECDSA

      Cert Authorities:


      *** ServerHelloDone


      Schema documentation indicates that the <authentication/> element is the correct way to setup the server trust manager.

      Does anyone see an issue with this configuration?


      My https listener configuration looks like:


      <https-listener name="default-https" socket-binding="https" security-realm="HTTPSRealm" verify-client="REQUESTED"/>

        • 1. Re: Undertow TLS client authentication
          Tomaz Cerar Master

          What is your https-listener configuration?

          • 2. Re: Undertow TLS client authentication
            Luca Boncompagni Newbie


            I have the same problem, this is my https-listener configuration:


            <server name="default-server">

              <ajp-listener name="ajp-connector" socket-binding="ajp"/>

              <http-listener name="default" socket-binding="http"/>

              <https-listener name="defaultssl" socket-binding="https" security-realm="UndertowRealm" verify-client="REQUIRED"/>

              <host name="default-host" alias="localhost">

              <location name="/" handler="welcome-content"/>

              <filter-ref name="server-header"/>

              <filter-ref name="x-powered-by-header"/>




            I have also another issue, if  I use my default trustore, in my case with 175 certificate, I can't finish SSL handshake, with curl I get only this:


            curl -vvvv -k https://....

            * Hostname was NOT found in DNS cache

            *   Trying

            * Connected to host00.svil.bol ( port 8022 (#0)

            * successfully set certificate verify locations:

            *   CAfile: none

              CApath: /etc/ssl/certs

            * SSLv3, TLS handshake, Client hello (1):


            In the log I found that the message "*** ServerHelloDone" was written before the end of the write buffer.


            2014-02-20 00:22:03,590 INFO  [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Handshake, length = 16384

            2014-02-20 00:22:03,590 INFO  [stdout] (default I/O-1) *** ServerHelloDone

            2014-02-20 00:22:03,591 INFO  [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Handshake, length = 6170