Easier access to invalid client certificates · jetty/jetty.project#6067

(5 comments) (0 reactions) (0 assignees)Java (3,701 stars) (1,913 forks)batch import

Help Wanted

Description

Jetty version 10.0.x

Description During the TLS handshake, in case of needClientAuth, the client may send an invalid (e.g. expired) certificate. The validation checks are performed by the TrustManager and if they fail there is no way to access the expired client certificate, for example in SslHandshakeListener.handshakeFailed(), as it is not exposed via SSLSession.getPeerCertificate(), etc.

The only option would be to wrap the TrustManager, but that requires subclassing SslContextFactory.Server and overriding getTrustManager(), whose signature is likely to change in light of #6054.

Would be great to have a more stable way to provide hooks into the TrustManager in a simpler way.

Contributor guide

Tech stack: java
Domain: backendsecurity
Issue type: feature
Difficulty: 3
Estimated time: 1-3 hours
Activity status: fresh
Clarity: mostly clear
Prerequisites: JavaTLS/SSL basicsJetty SslContextFactory
Newbie friendliness: 30
Research direction: Investigate how Jetty's SslContextFactory.Server creates TrustManager instances and where client certificate validation occurs. Look at SslHandshakeListener.handshakeFailed() and SSLSession to understand current limitations. The goal is to expose invalid client certificates in the handshake failure callback, possibly by creating a wrapper trust manager or modifying the SslContextFactory API. Examine upstream issue #6054 for potential API changes.