I have a bit more support now in thinking that this is an issue with lack of
support for TLS renegotiation.
I added the following code to my test, which calls a non TLS renegotiating
server
"testing client certs" should {
"connect to foafssl.org and ask for cert" in {
keyManager.setId("JoeLambda")
val foafssl = :/("foafssl.org",443)/"test/WebId" secure
val model = Http(foafssl as_model(baseURI(foafssl),TURTLE) )
model.write(System.out,TURTLE.jenaLang)
model.size() must_==10 //should be greater than, but anyway
}
}
When I connect to foafssl.org - but any non TLS renegotiating server would do
I believe - then the methods in my FlexiKeyManager get called in the order
expected: namely first it gets asked for the aliases, then for a certificate
for that alias, and finally for the private key for that alias. This does not
happen when connecting to the server that does renegotiation.
class FlexiKeyManager extends X509ExtendedKeyManager {
val keys = mutable.Map[String, Pair[Array[X509Certificate],PrivateKey]]()
def addClientCert(alias: String,certs: Array[X509Certificate], privateKey:
PrivateKey) {
keys.put(alias,Pair(certs,privateKey))
}
var currentId: String = null
def setId(alias: String) { currentId = if (keys.contains(alias)) alias else
null }
def getClientAliases(keyType: String, issuers: Array[Principal]) =
if (currentId!=null) Array(currentId) else null
def chooseClientAlias(keyType: Array[String], issuers: Array[Principal],
socket: Socket) =
currentId
def getServerAliases(keyType: String, issuers: Array[Principal]) = null
def chooseServerAlias(keyType: String, issuers: Array[Principal], socket:
Socket) = ""
def getCertificateChain(alias: String) = keys.get(alias) match {
case Some(certNKey) => certNKey._1;
case None => null
}
def getPrivateKey(alias: String) =
keys.get(alias).map(ck=>ck._2).getOrElse(null)
override def chooseEngineClientAlias(keyType: Array[String], issuers:
Array[Principal], engine: SSLEngine): String = currentId
}
On 28 Oct 2011, at 00:49, Henry Story wrote:
> Hello,
>
> I am working on a server that tries to ask the client for his X509
> certificate only when it is sure that it will be needed. This can be done
> very neatly using TLS renegotiation: the server can analysing the HTTP
> request to see if action requested on the resource needs authentication at
> all. If so it requests a TLS renegotiations as show in this mini netty server
> written in one page of Scala [1].
>
> I am now trying to test this. Most desktop browsers accept some form of TLS
> renegotiation - except Opera 11 I think. But I am not sure that java http
> client does. I am using the dispatch scala wrapping of the httpclient, and so
> I am cling them this too.
>
> The code for these tests is here:
>
> https://dvcs.w3.org/hg/read-write-web/file/c0bf9b280888/src/test/scala/auth/CreateWebIDSpec.scala
>
> The test after line 234 does not return the right result. After a lot of
> stepping through code it occurred to me that perhaps httpclient does not do
> renegotiation. Perhaps I have not set it up properly to do this. But it could
> also be another issue. As it is late, I thought I'd ask before going to
> sleep.
>
> Thanks in advance,
>
> Henry
>
>
> [1] in the webid branch of the read-write-web project around line 64
> https://dvcs.w3.org/hg/read-write-web/file/9ca474c333e8/src/main/scala/netty/SslLoginTest.scala
> [2] http://dispatch.databinder.net/Dispatch.html
>
>
> Social Web Architect
> http://bblfish.net/
>
Social Web Architect
http://bblfish.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
