Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Client cert auth

49 views
Skip to first unread message

Brad Wood

unread,
Jul 20, 2022, 1:52:07 PM7/20/22
to Undertow Dev
When using the XNio option SslClientAuthMode, I can have my Undertow server send a client cert request to the browser.  However, the documentation of SSL client auth says the server can also send a list of acceptable CAs.

If the server requires a digital certificate for client authentication, the server sends a “client certificate request” that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs).


How do I specify the list of supported certs an the list of allowed distinguished names that Undertow/Xnio sends as part of the certificate request during SSL negotiation?

Flavia Rainone

unread,
Jul 21, 2022, 3:20:57 AM7/21/22
to Undertow Dev
Hi Brad,

I'll have to check if this is currently supported and how to do it, I'll get back to you in a bit.

Best regards,
Flavia

Brad Wood

unread,
Jul 21, 2022, 11:07:50 AM7/21/22
to Flavia Rainone, Undertow Dev
I've been hammering at getting the client auth working for a few days and wanted to add that it appears from my testing that ALL CAs in the trust store configured in the SSL context used by the HTTP listener are sent automatically.  So if I create an SSL context with its own trust store and I place a CA cert in it, then that's automatically getting sent.  I was thinking I'd want to customize what was sent, but if I'm thinking of things directly, it actually makes a good deal of sense that I'd just configure my own truststore to have the CAs I wanted to trust.  

Let me know what you find out.

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 



--
You received this message because you are subscribed to the Google Groups "Undertow Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to undertow-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/undertow-dev/27ced381-3c63-477f-a5a4-eb91b5a41a03n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Brad Wood

unread,
Jul 21, 2022, 10:43:47 PM7/21/22
to Flavia Rainone, Undertow Dev
On the topic of client cert auth, I've put in this ticket to help improve it:


I'm working on recreating the most common CGI variables that IIS, Apache, or Nginx set when using client auth such as SSL_CLIENT_VERIFY
SSL_CLIENT_S_DNSSL_CLIENT_I_DN, and SSL_CLIENT_CERT.  Please let me know if there are any examples out there of setting all this information via Undertow.  

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 


Flavia Rainone

unread,
Sep 5, 2022, 3:52:34 PM9/5/22
to Undertow Dev
Hi Brad,

Regarding your initial question, the SslClientAuthMode does not allow selection of which CAs the server will send to client as acceptable, which is exactly what you found out in your tests.

Thanks for the Jira. I scheduled it tentatively to 2.4.0.Final, I'll public a roadmap for that release after 2.3.0.Final is released.
Reply all
Reply to author
Forward
0 new messages