[jetty-users] How to configure client certificate for mutual SSL auth with Jetty?

[Wenlong Dong]

Hi, I am new to Jetty. I was able to get SSL to work with Jetty
(9.2.5.v20141112). However, if I enable client-auth, I always got the
following error from the client side:

Caused by: java.io.EOFException: HttpConnectionOverHTTP@75cc9008(l:/
127.0.0.1:58655 <-> r:localhost/127.0.0.1:8443)
        at
org.eclipse.jetty.client.http.HttpReceiverOverHTTP.earlyEOF(HttpReceiverOverHTTP.java:267)
        at
org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1312)
        at
org.eclipse.jetty.client.http.HttpReceiverOverHTTP.shutdown(HttpReceiverOverHTTP.java:170)
        ...
By configuring it with client-auth, I did the following on the server-side:
        sslContextFactory.setNeedClientAuth(true);
And here is my client-side code:
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(<store path>);
        sslContextFactory.setNeedClientAuth(true);
        sslContextFactory.setKeyStorePassword(<password>);
        sslContextFactory.setCertAlias(<client alias>);
        sslContextFactory.setEndpointIdentificationAlgorithm("HTTPS");

        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, new TrustManager[] { new
TrustAllX509TrustManager() }, new SecureRandom());
        SSLEngine engine = context.createSSLEngine();
        engine.setNeedClientAuth(sslContextFactory.getNeedClientAuth());
        engine.setEnabledCipherSuites(engine.getSupportedCipherSuites());
        engine.setEnabledProtocols(engine.getSupportedProtocols());

        sslContextFactory.setSslContext(context);
        sslContextFactory.setEndpointIdentificationAlgorithm(null);

        HttpClient httpClient = new HttpClient(sslContextFactory);
        httpClient.setMaxConnectionsPerDestination(2);
        httpClient.setMaxRequestsQueuedPerDestination(2);
        httpClient.setIdleTimeout(180000);
        httpClient.start();

        InputStreamResponseListener listener = new
InputStreamResponseListener(102400)
        {
            @Override
            public void onContent(Response response, ByteBuffer content)
            {
                // ignore empty blocks
                if (content.remaining() == 0) {
                    return;
                }
                super.onContent(response, content);
            }
        };

        HttpRequest jettyRequest = (HttpRequest) httpClient.newRequest("
https://localhost:8443/test1";);
        jettyRequest.method("GET");
        jettyRequest.send(listener);

        Response response = listener.get(httpClient.getIdleTimeout(),
TimeUnit.MILLISECONDS);
        int status = response.getStatus();
        System.out.println(String.format("Got response status: %d",
status));
        InputStream inputStream = listener.getInputStream();

        // Process the response
        BufferedReader reader;
        String line = null;
        reader = new BufferedReader( new InputStreamReader( inputStream )
);
        while( ( line = reader.readLine() ) != null )
        {
            System.out.println( line );
        }

        inputStream.close();

If I replace setNeedClientAuth with setWantClientAuth, I did not see the
client cert from the server-side. What has I done wrong here please? Thanks!

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users