Hi, I am working with ActiveMQ 5.11 and have a question about client certificates when WebSockets are in use. I'm specifically using the wss:// connector.
My goal is to achieve client-certificate (mutual) authentication over each of the ssl://, amqp+ssl://, and wss:// transports. I've been able to do this in the latter two cases by using wantClientAuth on the transport config and providing a BrokerPlugin and BrokerFilter that override the addConnection(ConnectionContext, ConnectionInfo) methods and retrieve the credentials int hat method. Peer certificates in these cases are retrieved via casting ConnectionInfo's getTransportContext() into an array of X509Certificate objects, representing the peer cert chain. In the websocket case, however, getTransportContext() does not return the peer certs, and my custom login module fails to see credentials to authenticate the user. Is it possible to retrieve the peer certificate chain in this case? Since the websocket's handshake and subsequent upgrade request are indirect compared to the other two transports, I'm guessing that the peer certs are exchanged during TLS handshake and are lost when the session upgrade occurs, looking at classes like WSServlet (which passes nothing from the HttpServletRequest to the StompSocket it creates), and that further, because the upgrade occurs, there is no real tracking of the initial connection that exchanged the certs in the first place, making it impossible to dig them out via some other mechanism. Is that accurate? Thanks, Steve -- View this message in context: http://activemq.2283324.n4.nabble.com/Stomp-WebSockets-and-client-certificates-tp4702673.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
