About SSL client authentication and authenticating individual messages received over the connection

Mathew Johnston mjohnston at capsaicin.ca
Mon Jan 10 19:48:56 EST 2011 

Hi Marc, thanks for your reply.

I got this working, so I'll describe what I did in case it helps anyone in
the future.

My use case is a bit contrived. In my application protocol, I get a client
hostname string. The application includes this value because the connection
need not always use SSL client authentication. In my implementation, SSL
client auth is mandatory, so I don't really need to make this check (I can
just look at the client cert directly and ignore this value). That said, I
decided I'd make sure the certificate and the application layer match for
the sake of additional paranoia.  Regardless, the following information
would be useful.

In my PipelineFactory, I created my SSLEngine and added it to the pipeline.
I also passed a reference to the engine up to my HTTP RequestHandler.

You can call sslEngine.getSession().getPeerCertificates(); to get an array
containing the trusted certificate path used to authenticate the client.
Element 0 is the client's certificate. If the certificate is an
X509Certificate, you can use the
sun.security.util.HostnameChecker.match(String hostname, X509Certificate
cert) to compare a hostname string to a certificate. I assume that this is
what Java uses to authenticate the connection in the first place. I feel
somehow sneaky using this class but it is public.

Hope that helps (and doesn't hinder) someone in the future.

Cheers,
Mat

2010/12/23 Marc-André Laverdière <marcandre.laverdiere at gmail.com>

> Normally, the default java SSL implementation does DNS resolution and
> reverse lookups. You just need to have a trust store.
>
> On 21 Dec 2010 03:58, "Mathew Johnston" <mjohnston at capsaicin.ca> wrote:
>
> Hi,
>
> I'm implementing a protocol that depends on SSL for client authentication.
> The application messages (over SOAP) contain a machine name. The requirement
> I have is to validate the machine name in the message against the machine
> name listed in the client certificate used for authentication at the SSL
> layer. Is this possible? What's the best way to do this?
>
> I'm assuming so far that I want to compare against the results of
> SSLEngine.getPrincipal(); is this correct? At my application layer
> (HttpRequestHandler), I don't have a reference to the SSLEngine used by the
> SSLHandler. Is it a good idea to simply pass my HttpRequestHandler's
> constructor a reference to the SSLEngine instance I'm using to construct the
> SSLHandler (this would of course be in my PipelineFactory)?
>
> Is there another method that's preferable?
>
> Since the certificates are all hostname based, I'm assuming that the SSL
> layer does the appropriate name resolution to authenticate the client. Is
> this also correct? Or, do I need to implement my own TrustManager to do the
> lookup and check against the principal?
>
> Cheers,
> Mathew Johnston
>
> _______________________________________________
> netty-users mailing list
> netty-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/netty-users
>
>
> _______________________________________________
> netty-users mailing list
> netty-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/netty-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/netty-users/attachments/20110110/8659c895/attachment.html

More information about the netty-users mailing list