Easier access to invalid client certificates · jetty/jetty.project#6067

(5 评论) (0 反应) (0 负责人)Java (3,701 star) (1,913 fork)batch import

Help Wanted

描述

Jetty version 10.0.x

Description During the TLS handshake, in case of needClientAuth, the client may send an invalid (e.g. expired) certificate. The validation checks are performed by the TrustManager and if they fail there is no way to access the expired client certificate, for example in SslHandshakeListener.handshakeFailed(), as it is not exposed via SSLSession.getPeerCertificate(), etc.

The only option would be to wrap the TrustManager, but that requires subclassing SslContextFactory.Server and overriding getTrustManager(), whose signature is likely to change in light of #6054.

Would be great to have a more stable way to provide hooks into the TrustManager in a simpler way.

贡献者指南

技术栈: java
领域: backendsecurity
议题类型: feature
难度: 3
预计时间: 1-3 hours
活动状态: fresh
清晰度: mostly clear
前置要求: JavaTLS/SSL basicsJetty SslContextFactory
新手友好度: 30
研究方向: Investigate how Jetty's SslContextFactory.Server creates TrustManager instances and where client certificate validation occurs. Look at SslHandshakeListener.handshakeFailed() and SSLSession to understand current limitations. The goal is to expose invalid client certificates in the handshake failure callback, possibly by creating a wrapper trust manager or modifying the SslContextFactory API. Examine upstream issue #6054 for potential API changes.