Using different public keys in same SSLContext

31 views
Skip to first unread message

Nikolay Damyanliev

unread,
Jun 8, 2017, 8:26:07 AM6/8/17
to vert.x
Hi,

So we have the following setup here:
We have a vertx app that uses JWT for authentication, and communicates with third-parties via HTTPS, using certificates provided by these third-parties.
The certificate for JWT authentication is stored in a separate jceks store, which is loaded on startup into the SSL context, all authentication works fine.
The certificates for the third-parties are stored in the default Java truststore (cacerts).

The problem:
When a SSL connection attempt to a third-party is made, the certificate (public key) of this third-party is loaded into the SSL context, the connection is successful, all is fine. But because this certificate apparently replaces the JWT one that was loaded on startup, the whole JWT authentication process breaks - no token can be verified or issued any more, as SSL context keeps the wrong certificate.

Any thoughts? Are we doing something wrong? If yes, what? If not, any suggestions how to deal with such an issue?

Any help will be greatly appreciated. Thanks :)

Julien Viet

unread,
Jun 8, 2017, 3:39:56 PM6/8/17
to ve...@googlegroups.com
Hi,

I’m not much familliar with JWT, can you point out where JWT loads a certificate to help understanding ?

can you provide a reproducer for this issue ?

Julien

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/16aee0f8-930b-48ec-b78c-f91c0ea059fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Asher Tarnopolski

unread,
Jun 8, 2017, 3:52:47 PM6/8/17
to vert.x
hi, we use a custom jceks file we create and a provider created with JWTAuth just like in the docs example:

JsonObject config = new JsonObject().put("keyStore", new JsonObject()
.put("path", "keystore.jceks")
.put("type", "jceks")
.put("password", "secret"));

AuthProvider provider = JWTAuth.create(vertx, config);

the authhandler is then chained to routes wherever needed and is initialised during deployment.

the third party provides its certificates.
the mess starts after that third party is called the first time. jwt crypto check starts to fail with key verification error.

Paulo Lopes

unread,
Jun 26, 2017, 6:53:44 AM6/26/17
to vert.x
Can you provide a reproducer? It's hard to tell what's going on without it.
Reply all
Reply to author
Forward
0 new messages