Getting the client IP address during TLS handshake

30 views
Skip to first unread message

rim...@gmail.com

unread,
Jun 8, 2022, 2:47:16 PMJun 8
to vert.x
Hi,

   We would like to get the client IP during the TLS handshake. We have a class extending from X509ExtendedKeyManager and we are overriding the 
public String chooseEngineServerAlias(String s, Principal[] principals, SSLEngine engine)
method.

@Override
    public String chooseEngineServerAlias(String s, Principal[] principals, SSLEngine engine) {

      String serverString = null;
      if (engine != null) {
        ExtendedSSLSession session = (ExtendedSSLSession)engine.getHandshakeSession();
        if (session != null && session instanceof ExtendedSSLSession) {
          LOG.info("Logging client IP address : " + session.getPeerHost()); 
//...
}

I even tried (which did not work either) -

LOG.info("Logging client IP address : " + session.getSessionContext()
              .getSession(session.getId()).getPeerHost());

Above code does not seem to get the peer host, it returns null. Is there a way to get the client IP of the client initiating the handshake ?.

Julien Viet

unread,
Jun 9, 2022, 8:01:04 AMJun 9
to vert.x
Hi,

can you elaborate why it is needed ?

Julien
> --
> You received this message because you are subscribed to the Google Groups "vert.x" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/5ad8130f-ac90-4d72-9943-b2145cc619c2n%40googlegroups.com.

rim...@gmail.com

unread,
Jun 9, 2022, 8:52:44 AMJun 9
to vert.x
Hi Julien,

   We have a key/trust store that maintains the server certificates , and the Subject Alternative name on the server cert has the internal IP. We want to eliminate the internal IPs from the cert.
In order to do that we need to distinguish the internal clients/external clients connecting to the server. So if we know the client IP we can get the subnet and make our decision based on that and serve up the right certificate from the trust store.

Thanks,
Ranjit

rim...@gmail.com

unread,
Jul 1, 2022, 10:35:18 AMJul 1
to vert.x
Hi Julien,

    Again getting back to this topic, we need this for implementing Virtual servers. Is there a way we can contribute to have this functionality available ?. This is a very important requirement for us security wise.  Please let us know.

Thanks,
Ranjit

Julien Viet

unread,
Jul 6, 2022, 4:42:11 AMJul 6
to vert.x
Hi,

do you want to only do some logging or take some action during this phase ?

the handshake is implemented by Netty and Vert.x is aware of this
before the handshake or after the handshake.

so it is important you describe what you want to achieve exactly to
understand what it would take to be implemented.

Julien
> To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/8765689f-5594-41ef-96ed-263ab8db0e06n%40googlegroups.com.

rim...@gmail.com

unread,
Jul 27, 2022, 10:26:46 AMJul 27
to vert.x
Hi Julien,

   We want the API to give us couple of things during SSL handshake process -

1) Client IP address of who initiated the handshake.
2)  Local server address the connection is bound to.

Thanks,
Ranjit

Julien Viet

unread,
Jul 28, 2022, 3:00:16 AMJul 28
to vert.x
and you only want those info and during the handshake ? no actions
should be taken
> To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/9bd5c2b5-c542-473f-ada1-9012c0ee1f8bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages