jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard

Published 20 hours ago verified publisher icon jetty

Easier access to invalid client certificates

Open sbordet opened this issue 4 years ago • 4 comments

Jetty version 10.0.x

Description During the TLS handshake, in case of needClientAuth, the client may send an invalid (e.g. expired) certificate. The validation checks are performed by the TrustManager and if they fail there is no way to access the expired client certificate, for example in SslHandshakeListener.handshakeFailed(), as it is not exposed via SSLSession.getPeerCertificate(), etc.

The only option would be to wrap the TrustManager, but that requires subclassing SslContextFactory.Server and overriding getTrustManager(), whose signature is likely to change in light of #6054.

Would be great to have a more stable way to provide hooks into the TrustManager in a simpler way.

sbordet avatar Mar 17 '21 09:03 sbordet

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Mar 18 '22 00:03 github-actions[bot]

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Mar 19 '23 00:03 github-actions[bot]

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Mar 19 '24 00:03 github-actions[bot]