[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510564#comment-15510564 ] Pascal Mainini commented on FELIX-4797: --- Hi Carsten thanks for your inquiry. It's already quite long ago and I honestly don't recall the full details. From my side however, the issue has been either resolved or worked around, so I think it can be closed here as well. Sorry for not keeping you updated! > Enable client certificate requesting without verifying the certificates > --- > > Key: FELIX-4797 > URL: https://issues.apache.org/jira/browse/FELIX-4797 > Project: Felix > Issue Type: Improvement > Components: HTTP Service >Reporter: Pascal Mainini >Priority: Minor > Labels: patch > Attachments: > 0001-Patch-enabling-client-certificate-authentication-wit.patch, > enabling-sslContext-services.patch > > > This is a patch enabling requesting client certificate authentication without > further validation of the certificates provided by the client. Rationale: > Enabling requests of client certificates by setting > "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a > client-certificate from any connecting client. Depending on the value set, > this is either an optional or mandatory step to be fulfilled by the client in > order to have it's HTTP-request further processed. > The client-certificate obtained is validated against either the > CA-certificates found in the truststore or - if none given - by the server's > certificate itself. > For some usecases, this validation is unsuitable or not possible at all, > namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) > authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14324253#comment-14324253 ] Pascal Mainini commented on FELIX-4797: --- In general, of course you are right. However for specific usecases (like the WebID-style authentication as explained in the description of the issue), the certificate is only used for conveying additional data which is then used for authentication. The idea here is that a user generates a self-signed certificate with specific extensions pointing to the authentication data. Due to the fact that self-signed certificates are used (and are used on purpose), a validation of the client certificate will fail in any case. Without having the possibility to disable this validation in Felix/Jetty, it is not possible to write applications which read this additional information out of the certificate and process them further. I hope this clarifies things a bit, I can provide deeper explanations if needed. > Enable client certificate requesting without verifying the certificates > --- > > Key: FELIX-4797 > URL: https://issues.apache.org/jira/browse/FELIX-4797 > Project: Felix > Issue Type: Improvement > Components: HTTP Service >Reporter: Pascal Mainini >Priority: Minor > Labels: patch > Attachments: > 0001-Patch-enabling-client-certificate-authentication-wit.patch > > > This is a patch enabling requesting client certificate authentication without > further validation of the certificates provided by the client. Rationale: > Enabling requests of client certificates by setting > "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a > client-certificate from any connecting client. Depending on the value set, > this is either an optional or mandatory step to be fulfilled by the client in > order to have it's HTTP-request further processed. > The client-certificate obtained is validated against either the > CA-certificates found in the truststore or - if none given - by the server's > certificate itself. > For some usecases, this validation is unsuitable or not possible at all, > namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) > authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pascal Mainini updated FELIX-4797: -- Attachment: 0001-Patch-enabling-client-certificate-authentication-wit.patch git patch for the issue, appliable using "git am" > Enable client certificate requesting without verifying the certificates > --- > > Key: FELIX-4797 > URL: https://issues.apache.org/jira/browse/FELIX-4797 > Project: Felix > Issue Type: Improvement > Components: HTTP Service >Reporter: Pascal Mainini >Priority: Minor > Labels: patch > Attachments: > 0001-Patch-enabling-client-certificate-authentication-wit.patch > > > This is a patch enabling requesting client certificate authentication without > further validation of the certificates provided by the client. Rationale: > Enabling requests of client certificates by setting > "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a > client-certificate from any connecting client. Depending on the value set, > this is either an optional or mandatory step to be fulfilled by the client in > order to have it's HTTP-request further processed. > The client-certificate obtained is validated against either the > CA-certificates found in the truststore or - if none given - by the server's > certificate itself. > For some usecases, this validation is unsuitable or not possible at all, > namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) > authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (FELIX-4797) Enable client certificate requesting without verifying the certificates
Pascal Mainini created FELIX-4797: - Summary: Enable client certificate requesting without verifying the certificates Key: FELIX-4797 URL: https://issues.apache.org/jira/browse/FELIX-4797 Project: Felix Issue Type: Improvement Components: HTTP Service Reporter: Pascal Mainini Priority: Minor This is a patch enabling requesting client certificate authentication without further validation of the certificates provided by the client. Rationale: Enabling requests of client certificates by setting "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a client-certificate from any connecting client. Depending on the value set, this is either an optional or mandatory step to be fulfilled by the client in order to have it's HTTP-request further processed. The client-certificate obtained is validated against either the CA-certificates found in the truststore or - if none given - by the server's certificate itself. For some usecases, this validation is unsuitable or not possible at all, namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
