Re: 2-way SSL authentication

Thu, 31 May 2007 12:55:17 -0700 


On 31-May-07, at 3:52 PM, Chuck Hinson wrote:


Toby,

I'm about to try out the ssl client auth stuff.  I looked in javadoc,
but didn't see anything.
What all did you have to do to get client auth working?
I assume I at least have to do (the equivalent of) the following (on the 
command line):
        -Djavax.net.ssl.trustStore=arces-ca-trust.jks
        -Djavax.net.ssl.trustStorePassword=secret
        -Djavax.net.ssl.keyStore=b-0480-identity.jks
        -Djavax.net.ssl.keyStorePassword=secret


If you have non-default trust/keystore then yes.



Did you use Simple?  Is there any additional configuration required
there?


Used Simple. No extra config.



Also, where are you doing:
        getContext().getParameters().add("needClientAuthentication",
"true")

Are you doing it in Restlet.createRoot() or somewhere else?


In my case:

        public static void main(String[] args) throws Exception {
Server srv = new Server(Protocol.HTTPS, SOME_PORT_NO, new MyApplication()); 
                /* if desired:
                srv.getContext().getParameters().add("keystorePath", "...");
                srv.getContext().getParameters().add("keystorePassword", "...");
                srv.getContext().getParameters().add("keyPassword", "...");
                */
srv.getContext().getParameters().add("needClientAuthentication", "true"); 

                srv.start();
        }

HTH,

--Toby




--Chuck

-----Original Message-----
From: Toby Thain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 30, 2007 10:51 AM
To: [email protected]
Subject: Re: 2-way SSL authentication


On 21-May-07, at 6:43 AM, Jerome Louvel wrote:


Hi all,

I've added support for client authentication in the SVN trunk
(upcoming 1.1). Only Simple connector has support to retrieve the
client certificates,


These two features are working well for me in 1.1b1.

More specifically, as expected, client authentication succeeds against
my CA and fails against foreign CA, or out of date certificate. I
haven't tested a revocation list.

        getContext().getParameters().add("needClientAuthentication",
"true")

And I can retrieve the certificate details that I need as follows:

        List<X509Certificate> certs =
        
(List)req.getAttributes().get("org.restlet.https.clientCertificates");
        X509Certificate firstCert = certs.get(0);
        ... firstCert.getSubjectX500Principal().getName() ...

Thankyou very much for the work.
--Toby


but other connectors should ask/require a certificate too if you set
the connector attributes correctly (see Javadocs for each connector).

See details in the RFE:
http://restlet.tigris.org/issues/show_bug.cgi?id=281
I'm looking forward to getting your feed-back and test results. I will 


post a first 1.1 snapshot soon.

Best regards,
Jerome

Reply via email to