[jboss-jira] [JBoss JIRA] (JGRP-2214) SSL_KEY_EXCHANGE: add hook to verify SSL session credentials
Bela Ban (JIRA)
issues at jboss.org
Tue Aug 29 03:24:00 EDT 2017
[ https://issues.jboss.org/browse/JGRP-2214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13455029#comment-13455029 ]
Bela Ban commented on JGRP-2214:
--------------------------------
Attached {{CertificateCNMatcher}}. This matches the peer certificate's name against a pattern which is defined via {{session_verifier_arg}} in {{SSL_KEY_EXCHANGE}}. The following 2 attributes are added to the config:
{code:xml}
session_verifier_class="org.jgroups.protocols.CertficateCNMatcher"
session_verifier_arg="CN=FR59235"
{code}
> SSL_KEY_EXCHANGE: add hook to verify SSL session credentials
> ------------------------------------------------------------
>
> Key: JGRP-2214
> URL: https://issues.jboss.org/browse/JGRP-2214
> Project: JGroups
> Issue Type: Feature Request
> Affects Versions: 4.0.5
> Reporter: Bela Ban
> Assignee: Bela Ban
> Fix For: 4.0.6
>
> Attachments: CertficateCNMatcher.java
>
>
> In {{SSL_KEY_EXCHANGE}}, when an SSL session has been established, we're sure that the credentials of the server and client are OK.
> However, an additional check might be required, e.g. that the CN in the peer's certificate always matches a given pattern, or that the org always is "IBM" (for example).
> If this is not the case, terminate the SSL connection.
> Todo: add the fully qualified name of a class and an argument (e.g. the pattern). An instance of the class will be created and initialized with the pattern. When an SSL session has been created ({{connect()}} on the client, {{accept()}} on the server), the {{verify()}} method in the instance is called and it needs to throw a {{SecurityException}} if the session cannot be accepted.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list