Some progress:
With MINA 2.1.5, the SSLEngine.SSLConfiguration instance has the
clientAuthType set to CLIENT_AUTH_REQUIRED, while in MINA 2.2.0, it's
set to CLIENT_AUTH_NONE. That explain why the CertificateRequest is not
sent to the client.
Now to understand why this flag is improperly set...
On 01/04/2022 11:06, Emmanuel Lécharny wrote:
Still fighting...
When using MINA 2.1.6, I see that the client (FTPSCLient, a java class
that is not using MINA) sends a client Certificate to the server after
having received a CertificateRequest:
javax.net.ssl|FINE|01|main|2022-04-01 09:58:48.544
CEST|CertificateRequest.java:692|Consuming CertificateRequest handshake
message (
"CertificateRequest": {
"certificate types": [ecdsa_sign, rsa_sign, dss_sign]
"supported signature algorithms": [ecdsa_secp256r1_sha256,
ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224,
rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [CN=ftpserver, CN=ftpclient]
}
)
...
javax.net.ssl|FINE|01|main|2022-04-01 09:58:48.546
CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|FINE|01|main|2022-04-01 09:58:48.547
CEST|CertificateMessage.java:330|Produced client Certificate handshake
message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "60 38 4B B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ftpclient",
"not before" : "2021-02-26 02:15:32.000 CET",
"not after" : "2031-02-26 02:15:32.000 CET",
"subject" : "CN=ftpclient",
"subject public key" : "RSA"}
]
)
...
With MINA 2.2.0, I don't see any CertificateRequest being sent by the
server. Which I don't understand, because the NeedClientAuth flag is set
to true...
Still investigating
On 31/03/2022 14:38, Emmanuel Lécharny wrote:
Ok, pb fixed with an added filter.
Now, I still get a NPE while trying to access the peerCertificate from
the session, even after the Handshake has been completed...
On 30/03/2022 18:02, Emmanuel Lécharny wrote:
Hi Jonathan,
no, it's just that we try to send a clear text message after having
set the SSLFilter, pretty much as what we had to workaround in
Directory. I'm going to fix that.
On 25/03/2022 19:48, Jonathan Valliere wrote:
Are you trying to get the peer cert after the filter emits the
connected
after the handshake completes? If you do it too early it won’t
populate.
On Fri, Mar 25, 2022 at 2:33 PM Emmanuel Lécharny <elecha...@gmail.com>
wrote:
Hi!
following the effort put in rewriting the Sslfilter (and all the inner
code) by Jonathan lately, I would like to know if we could mive
forward
with an alpha version of this work.
I have tested it with Apache LDAP API and Apache Directory Server,
with
success. I still have some work to do on FtpServer to have it working
with 2.2.X, we get some NPE when trying to fetch the peer certificate
from the SSLSession (for some unkown reason, when I call
sslSession.getPeerCertiticate() it returns null).
Wdyt ?
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
<https://www.google.com/maps/search/205+Promenade+des+Anglais+%E2%80%93+06200+NICE?entry=gmail&source=g>
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
