[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15510564#comment-15510564 ] Pascal Mainini commented on FELIX-4797: --- Hi Carsten thanks for your inquiry. It's already quite long ago and I honestly don't recall the full details. From my side however, the issue has been either resolved or worked around, so I think it can be closed here as well. Sorry for not keeping you updated! > Enable client certificate requesting without verifying the certificates > --- > > Key: FELIX-4797 > URL: https://issues.apache.org/jira/browse/FELIX-4797 > Project: Felix > Issue Type: Improvement > Components: HTTP Service >Reporter: Pascal Mainini >Priority: Minor > Labels: patch > Attachments: > 0001-Patch-enabling-client-certificate-authentication-wit.patch, > enabling-sslContext-services.patch > > > This is a patch enabling requesting client certificate authentication without > further validation of the certificates provided by the client. Rationale: > Enabling requests of client certificates by setting > "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a > client-certificate from any connecting client. Depending on the value set, > this is either an optional or mandatory step to be fulfilled by the client in > order to have it's HTTP-request further processed. > The client-certificate obtained is validated against either the > CA-certificates found in the truststore or - if none given - by the server's > certificate itself. > For some usecases, this validation is unsuitable or not possible at all, > namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) > authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15505693#comment-15505693 ] Carsten Ziegeler commented on FELIX-4797: - [~pascal.mainini] Did the suggestion from [~jajans] work for you? > Enable client certificate requesting without verifying the certificates > --- > > Key: FELIX-4797 > URL: https://issues.apache.org/jira/browse/FELIX-4797 > Project: Felix > Issue Type: Improvement > Components: HTTP Service >Reporter: Pascal Mainini >Priority: Minor > Labels: patch > Attachments: > 0001-Patch-enabling-client-certificate-authentication-wit.patch, > enabling-sslContext-services.patch > > > This is a patch enabling requesting client certificate authentication without > further validation of the certificates provided by the client. Rationale: > Enabling requests of client certificates by setting > "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a > client-certificate from any connecting client. Depending on the value set, > this is either an optional or mandatory step to be fulfilled by the client in > order to have it's HTTP-request further processed. > The client-certificate obtained is validated against either the > CA-certificates found in the truststore or - if none given - by the server's > certificate itself. > For some usecases, this validation is unsuitable or not possible at all, > namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) > authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14366177#comment-14366177 ] J.W. Janssen commented on FELIX-4797: - [~reto] thanks for the patch, but I think it can be done even more simpler and with the current released version of Felix HTTP Jetty bundle: by registering a ConnectorFactory. I've added a sample project to demonstrate this, see https://github.com/jawi/https-client-certs/tree/master/http.accept.any.client.cert. Enable client certificate requesting without verifying the certificates --- Key: FELIX-4797 URL: https://issues.apache.org/jira/browse/FELIX-4797 Project: Felix Issue Type: Improvement Components: HTTP Service Reporter: Pascal Mainini Priority: Minor Labels: patch Attachments: 0001-Patch-enabling-client-certificate-authentication-wit.patch, enabling-sslContext-services.patch This is a patch enabling requesting client certificate authentication without further validation of the certificates provided by the client. Rationale: Enabling requests of client certificates by setting org.apache.felix.https.clientcertificate to wants or needs requests a client-certificate from any connecting client. Depending on the value set, this is either an optional or mandatory step to be fulfilled by the client in order to have it's HTTP-request further processed. The client-certificate obtained is validated against either the CA-certificates found in the truststore or - if none given - by the server's certificate itself. For some usecases, this validation is unsuitable or not possible at all, namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14327223#comment-14327223 ] Reto Gmür commented on FELIX-4797: -- It would also be possible to allow injection of services doing the certificate validation, in this case one could provide a service that does the WebId validation or that accepts all certificates. The proposed delegates validation to the application. This is often an advantage, for example when one wants to give back detailed description of errors. Enable client certificate requesting without verifying the certificates --- Key: FELIX-4797 URL: https://issues.apache.org/jira/browse/FELIX-4797 Project: Felix Issue Type: Improvement Components: HTTP Service Reporter: Pascal Mainini Priority: Minor Labels: patch Attachments: 0001-Patch-enabling-client-certificate-authentication-wit.patch This is a patch enabling requesting client certificate authentication without further validation of the certificates provided by the client. Rationale: Enabling requests of client certificates by setting org.apache.felix.https.clientcertificate to wants or needs requests a client-certificate from any connecting client. Depending on the value set, this is either an optional or mandatory step to be fulfilled by the client in order to have it's HTTP-request further processed. The client-certificate obtained is validated against either the CA-certificates found in the truststore or - if none given - by the server's certificate itself. For some usecases, this validation is unsuitable or not possible at all, namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14324208#comment-14324208 ] J.W. Janssen commented on FELIX-4797: - [~pascal.mainini]: not sure what you are trying to solve exactly here: by simply trusting *any* certificate that the client provides without any validation, you basically are very much susceptible to MitM attacks, not? Enable client certificate requesting without verifying the certificates --- Key: FELIX-4797 URL: https://issues.apache.org/jira/browse/FELIX-4797 Project: Felix Issue Type: Improvement Components: HTTP Service Reporter: Pascal Mainini Priority: Minor Labels: patch Attachments: 0001-Patch-enabling-client-certificate-authentication-wit.patch This is a patch enabling requesting client certificate authentication without further validation of the certificates provided by the client. Rationale: Enabling requests of client certificates by setting org.apache.felix.https.clientcertificate to wants or needs requests a client-certificate from any connecting client. Depending on the value set, this is either an optional or mandatory step to be fulfilled by the client in order to have it's HTTP-request further processed. The client-certificate obtained is validated against either the CA-certificates found in the truststore or - if none given - by the server's certificate itself. For some usecases, this validation is unsuitable or not possible at all, namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
[ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14324253#comment-14324253 ] Pascal Mainini commented on FELIX-4797: --- In general, of course you are right. However for specific usecases (like the WebID-style authentication as explained in the description of the issue), the certificate is only used for conveying additional data which is then used for authentication. The idea here is that a user generates a self-signed certificate with specific extensions pointing to the authentication data. Due to the fact that self-signed certificates are used (and are used on purpose), a validation of the client certificate will fail in any case. Without having the possibility to disable this validation in Felix/Jetty, it is not possible to write applications which read this additional information out of the certificate and process them further. I hope this clarifies things a bit, I can provide deeper explanations if needed. Enable client certificate requesting without verifying the certificates --- Key: FELIX-4797 URL: https://issues.apache.org/jira/browse/FELIX-4797 Project: Felix Issue Type: Improvement Components: HTTP Service Reporter: Pascal Mainini Priority: Minor Labels: patch Attachments: 0001-Patch-enabling-client-certificate-authentication-wit.patch This is a patch enabling requesting client certificate authentication without further validation of the certificates provided by the client. Rationale: Enabling requests of client certificates by setting org.apache.felix.https.clientcertificate to wants or needs requests a client-certificate from any connecting client. Depending on the value set, this is either an optional or mandatory step to be fulfilled by the client in order to have it's HTTP-request further processed. The client-certificate obtained is validated against either the CA-certificates found in the truststore or - if none given - by the server's certificate itself. For some usecases, this validation is unsuitable or not possible at all, namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within the container. -- This message was sent by Atlassian JIRA (v6.3.4#6332)