search

jetty / jetty.project

Eclipse Jetty® - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
https://eclipse.dev/jetty
Other
3.86k stars 1.91k forks source link

Easier access to invalid client certificates #6067

Open sbordet opened 3 years ago

sbordet commented 3 years ago

Jetty version 10.0.x

Description During the TLS handshake, in case of needClientAuth, the client may send an invalid (e.g. expired) certificate. The validation checks are performed by the TrustManager and if they fail there is no way to access the expired client certificate, for example in SslHandshakeListener.handshakeFailed(), as it is not exposed via SSLSession.getPeerCertificate(), etc.

The only option would be to wrap the TrustManager, but that requires subclassing SslContextFactory.Server and overriding getTrustManager(), whose signature is likely to change in light of #6054.

Would be great to have a more stable way to provide hooks into the TrustManager in a simpler way.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 8 months ago

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.