TLS/SSL extensions

Liche alistair.braden at nominet.org.uk
Tue Jun 28 09:44:07 EDT 2011 

I have implemented a working server with 2-way TLS client certificate
authentication. I need to extend it to verify that the client identity
included in the certificate (i.e. in subjectAltName) matches the client's
session data, and refuse the connection if it doesn't.

I'm really struggling (after several hours on google) to figure out how to
do this with netty. Any help is much appreciated!

My SSL stuff and channel pipeline look like this:

 private ChannelPipeline getSSLPipeline() throws Exception {
        ChannelPipeline pipeline = Channels.pipeline();

        SSLEngine engine = createSSLContext().createSSLEngine();
        engine.setUseClientMode(false);
        engine.setNeedClientAuth(true);

        pipeline.addLast("ssl", new SslHandler(engine));

        ... // (add other stuff to pipeline)

        return pipeline;
    }


/* filenames/passwords are injected from config file */

 private SSLContext createSSLContext() {
        try {
            KeyStore serverKeyStore =
KeyStore.getInstance(SSL_KEY_STORE_FORMAT);
            serverKeyStore.load(new FileInputStream(keyStoreFilename),
keyStorePassword);

            KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(SSL_SECURITY_PROVIDER);
            keyManagerFactory.init(serverKeyStore, keyStorePassword);

            KeyStore clientKeyStore =
KeyStore.getInstance(SSL_KEY_STORE_FORMAT);
            clientKeyStore.load(new FileInputStream(trustStoreFilename),
trustStorePassword);
            TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(SSL_SECURITY_PROVIDER);
            trustManagerFactory.init(clientKeyStore);

            SSLContext serverContext = SSLContext.getInstance(SSL_PROTOCOL);
            serverContext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), null);

            return serverContext;
        } catch (Exception e) {
            throw new Error("Failed to initialize the server-side
SSLContext", e);
        }
    }

--
View this message in context: http://netty-forums-and-mailing-lists.685743.n2.nabble.com/TLS-SSL-extensions-tp6524964p6524964.html
Sent from the Netty User Group mailing list archive at Nabble.com.

More information about the netty-users mailing list