[undertow-dev] OpenSSL

Kim Rasmussen kr at asseco.dk
Mon Feb 13 01:26:02 EST 2017 

Awesome thanks.
Is there a snapshot repository available somewhere if I prefer to avoid
doing the native builds ?

No worries regarding renegotiating the client certificate - I have always
found that the only truly reliable way of asking for client cert, is to set
"need/wantClientAuth" to true at the start - that gives fewest problems
with various clients.
It is in my opinion only in the last few years that wantClientAuth have
started to work reliably with the browsers without various side-effects in
the client GUI.

Great work again, thanks
/Kim

2017-02-13 3:41 GMT+01:00 Stuart Douglas <sdouglas at redhat.com>:

> Looks like a bug came in with a recent refactor. I just pushed a fix
> upstream if you want to try it.
>
> One thing that is still not working is client cert renegotiation. I am
> still working on it, but OpenSSL does not seem to be requesting the
> client certificate when renegotiating, so you need to ask for the
> client ceritificate in the initial handshake.
>
> Stuart
>
> On Mon, Feb 13, 2017 at 7:15 AM, Kim Rasmussen <kr at asseco.dk> wrote:
> > Hi,
> >
> > I am trying to play around with the beta of the OpenSSL native engine at:
> > https://github.com/wildfly/wildfly-openssl together with undertow
> 1.4.10 -
> > running on windows with openssl 1.0.2k libraries.
> >
> > But, I am not having a whole lot of luck.... meaning in general it seems
> to
> > work fine, but there is no SSLSession available, and thus no client
> > certificates, info about ciphers etc. - also since the session is not
> > present, Undertow sets the request scheme to "http" and not "https".
> >
> > I have looked at it a bit, and I can see that the OpenSSLEngine seems to
> > always return null when calling getSession(), so it does look like the
> > engine is at fault.
> > The SSL engine has a ConcurrentHashMap of sessions, which is initialized
> > when OpenSSLSessionContext.sessionCreatedCallback() is called - but it
> looks
> > like it never is.
> >
> > Do anyone else have it working with SSL sessions being available ? or
> know
> > of something obvious that I am doing wrong ?
> >
> > Thanks.
> > /Kim
> >
> > --
> > Med venlig hilsen / Best regards
> >
> > Kim Rasmussen
> > Partner, IT Architect
> >
> > Asseco Denmark A/S
> > Kronprinsessegade 54
> > DK-1306 Copenhagen K
> > Mobile: +45 26 16 40 23
> > Ph.: +45 33 36 46 60
> > Fax: +45 33 36 46 61
> >
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>



-- 
Med venlig hilsen / Best regards

*Kim Rasmussen*
Partner, IT Architect

*Asseco Denmark A/S*
Kronprinsessegade 54
DK-1306 Copenhagen K
Mobile: +45 26 16 40 23
Ph.: +45 33 36 46 60
Fax: +45 33 36 46 61
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20170213/ce614af5/attachment.html

More information about the undertow-dev mailing list