[jboss-jira] [JBoss JIRA] (JGRP-2214) SSL_KEY_EXCHANGE: add hook to verify SSL session credentials

Bela Ban (JIRA) issues at jboss.org
Tue Aug 29 03:24:00 EDT 2017 

    [ https://issues.jboss.org/browse/JGRP-2214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13455029#comment-13455029 ] 

Bela Ban edited comment on JGRP-2214 at 8/29/17 3:23 AM:
---------------------------------------------------------

Attached {{CertificateCNMatcher}}. This matches the peer certificate's name against a pattern which is defined via {{session_verifier_arg}} in {{SSL_KEY_EXCHANGE}}. The following 2 attributes are added to the config:
{code:xml}
session_verifier_class="org.jgroups.protocols.CertficateCNMatcher"
session_verifier_arg="CN=FR59235"
{code}


was (Author: belaban):
Attached {{CertificateCNMatcher}}. This matches the peer certificate's name against a pattern which is defined via {{session_verifier_arg}} in {{SSL_KEY_EXCHANGE}}. The following 2 attributes are added to the config:
{code:xml}
        session_verifier_class="org.jgroups.protocols.CertficateCNMatcher"
        session_verifier_arg="CN=FR59235"
{code}

> SSL_KEY_EXCHANGE: add hook to verify SSL session credentials
> ------------------------------------------------------------
>
>                 Key: JGRP-2214
>                 URL: https://issues.jboss.org/browse/JGRP-2214
>             Project: JGroups
>          Issue Type: Feature Request
>    Affects Versions: 4.0.5
>            Reporter: Bela Ban
>            Assignee: Bela Ban
>             Fix For: 4.0.6
>
>         Attachments: CertficateCNMatcher.java
>
>
> In {{SSL_KEY_EXCHANGE}}, when an SSL session has been established, we're sure that the credentials of the server and client are OK.
> However, an additional check might be required, e.g. that the CN in the peer's certificate always matches a given pattern, or that the org always is "IBM" (for example).
> If this is not the case, terminate the SSL connection.
> Todo: add the fully qualified name of a class and an argument (e.g. the pattern). An instance of the class will be created and initialized with the pattern. When an SSL session has been created ({{connect()}} on the client, {{accept()}} on the server), the {{verify()}} method in the instance is called and it needs to throw a {{SecurityException}} if the session cannot be accepted.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list