[Jetty-support] Re: SSL question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Mike,

sorry for the slow reply....

I would have thought that JSSE would not have accepted a connection without 
a client certificate if you have set  listener.setNeedClientAuth(true) !!!!

It is a little bit beyond Jetty's control, but if we can confirm that
JSSE is allowed to make connections ignoring the need - then I think
I will have to explicitly check connections for this in the listener.

However, for now, I would suggest using a filter to check that a 
clert cert attribute exists and reject the request if it does not.

regards

Gerdes, Mike wrote:
> hi all,
> 
> I have a problem with the Jetty 6 SslSocketConnector. I am trying to make a http connector that uses SSL, configuration and everything works fine, the server sends the client a certificate also great...everything fine till now, but now I want the client to authenticate itself. The client now sends an invalid certificate and I get a error:
> 
> java.lang.IllegalStateException: no client auth
> 	at org.mortbay.jetty.security.SslSocketConnector.customize(SslSocketConnectorjava:361)
> 	at org.mortbay.jetty.HttpConnection.doHandler(HttpConnection.java:362)
> 	at org.mortbay.jetty.HttpConnection.access$1600(HttpConnection.java:46)
> 	at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:612)
> 	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:485)
> 	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:194)
> 	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:298)
> 	at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:153)
> 	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:412)
> 
> Ok this error is ok, but the the connection is not droped. The http request is forwarded and served.
> 
> Is this a general error or just my understanding or a wrong implementation configuration?
> 
> I hope you can help me to clarify my thoughts.
> 
> cya and thanks
> 
> mike
> 
> p.s. here is my source for the http server (a modified servicemix http-binding component):
> 
> --snap--
> 
> public void init(ComponentContext cc) throws JBIException {
>         super.init(cc);
>         if (listener == null) {
>             listener = new SslSocketConnector();
>         }
>         listener.setHost(host);
>         listener.setPort(port);
>         listener.setConfidentialPort(port);
>         listener.setNeedClientAuth(true);
>         listener.setPassword("blabla");
>         listener.setKeyPassword("blabla");
>         server = new Server();
>         BoundedThreadPool btp = new BoundedThreadPool();
>         btp.setMaxThreads(getMaxThreads());
>         server.setThreadPool(btp);
>     }
>    
>     /**
>      * start the Component
>      *
>      * @throws JBIException
>      */
>     public void start() throws JBIException {
>         server.setConnectors(new Connector[] { listener });
>         ContextHandler context = new ContextHandler();
>         context.setContextPath("/");
>         ServletHolder holder = new ServletHolder();
>         holder.setName("jbiServlet");
>         holder.setClassName(BindingServlet.class.getName());
>         ServletHandler handler = new ServletHandler();
>         handler.setServlets(new ServletHolder[] { holder });
>         ServletMapping mapping = new ServletMapping();
>         mapping.setServletName("jbiServlet");
>         mapping.setPathSpec("/*");
>         handler.setServletMappings(new ServletMapping[] { mapping });
>         context.setHandler(handler);
>         server.setHandler(context);
>         context.setAttribute("binding", this);
>         try {
>             server.start();
>         }
>         catch (Exception e) {
>         	log.warn(e.toString());
>             throw new JBIException("Start failed: " + e, e);
>         }
>     }
> 
> --snap--
> 
> This mail has originated outside your organization, either from an external partner or the Global Internet. Keep this in mind if you answer this message.
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
> _______________________________________________
> Jetty-support mailing list
> Jet...@li...
> https://lists.sourceforge.net/lists/listinfo/jetty-support
> 