Disable "Acceptable client certificate CA names" on MTLS client connect.

[gerardnorton]

In MTLS configuration, by default, all allowed clients CN are returned when a client initializes an SSL communication. This can lead to many security risks and information leaks.

This is my server implementation:

@Bean
public ConfigurableServletWebServerFactory webServerFactory(
                        SslContextFactory.Server sslContextFactory,
                        @Value("${server.port}") int serverPort) {
     JettyServletWebServerFactory factory = new JettyServletWebServerFactory();
     JettyServerCustomizer jettyServerCustomizer = server -> {
          ServerConnector serverConnector = new ServerConnector(server, sslContextFactory);
          serverConnector.setPort(serverPort);
          server.setConnectors(new Connector[] {serverConnector});
     };
     factory.setServerCustomizers(Collections.singletonList(jettyServerCustomizer));
     return factory;
}

@Bean
public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
                        @Value("${ssl.keystore-password}") String keyStorePassword,
                        @Value("${ssl.truststore-path}") String trustStorePath,
                        @Value("${ssl.truststore-password}") String trustStorePassword)
                        throws Exception {
    ...
    return SSLFactory.builder()
         .withIdentityMaterial(identityKeystore.toPath(), keyStorePassword.toCharArray())
         .withTrustMaterial(identityTruststore.toPath(),   trustStorePassword.toCharArray())
         .withSwappableIdentityMaterial().withSwappableTrustMaterial()
         .withNeedClientAuthentication(Boolean.TRUE)
         .withProtocols("TLSv1.3", "TLSv1.2")
         .withCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
         .withSessionTimeout(3600).withSessionCacheSize(1024).build();
}

@Bean
public SslContextFactory.Server sslContextFactory(SSLFactory sslFactory) {
         return JettySslUtils.forServer(sslFactory);
}

Command to check issue:

openssl s_client -showcerts -servername 127.0.0.1 -connect 127.0.0.1:8443 </dev/nul

Partial reponse:

Server certificate
subject=CN = ssl-server-cert
issuer=CN = ssl-ca-cert

Acceptable client certificate CA names
CN = ssl-ca-cert
CN = [email protected]
CN = [email protected]
CN = [email protected]
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 2228 bytes and written 472 bytes
Verification error: self-signed certificate in certificate chain

How can I disable the response of allowed clients in the truststore file?

Best regards :-)

[Hakky54]

I am not able to understand what you want to configure. Can you give me more context so I can understand your situation? What issue do you have and what would you like to prevent?

[gerardnorton]

For example.
In Nginx you can change this behavior by changing the directive ssl_client_certificate to ssl_trusted_certificate

ssl_client_certificate

The list of certificates will be sent to clients. If this is not desired, the [ssl_trusted_certificate](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate) directive can be used.

ssl_trusted_certificate

In contrast to the certificate set by [ssl_client_certificate](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate), the list of these certificates will not be sent to clients.

Suppose you do not want to inform the client of the trusted certificates that are accepted by the server.

Reference: rfc5246 section-7.4.4

[Hakky54]

Ah now it is more clear. Just to clarify, you want to disable the following additional output right:

CN = ssl-ca-cert
CN = [email protected]
CN = [email protected]
CN = [email protected]

Can you maybe share some test identity and truststores so I can investigate possible configurations? I think it is possible, however I am not able to reproduce the server output which you have as I have different keystores. Looking forward to your respons

[gerardnorton]

Keystore example with CA and server certificate:

MIIN1AIBAzCCDX4GCSqGSIb3DQEHAaCCDW8Egg1rMIINZzCCBa4GCSqGSIb3DQEHAaCCBZ8EggWb
MIIFlzCCBZMGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUM
MCsEFEVAS5aeUmGyQrsOqJGuli6htosGAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQB
KgQQ/qtephRjefEVUSTm/H2ZHwSCBNDYZX99vJ/ynugjZSgZ3YnH920gcJGhzkq778grQD3KJ6Sx
VOyjuT3DOObliTBgcLubxgoW5XXVYgdpoGEJ4xoYvKFM2BPS2xaOe00Vn0mvUufhJ8PRjhzKKUMl
w1zeWDDgCEbfO9O7T35y7nkGtq9ZyQf0yDhovuROs7NzbV/Fh1sL/jRBXKOEGqD7zeVUBZHGVZ/l
Z8xPiQVAA/lmRQ/2SLmee2YBc7ecOKpGbP7iPdbij1K/lW1OSGF1TU12gV/shVZ1S1TQo11oOxpi
j9tGmrJEZBrFoA5PlMsNn7I/Ln2F8aYdGejTlSKqbbjyZPHVkH5k7g+FHmrUzCKeqpUlxxvIxojO
lXBsEvJsROkHi7RpSQ/FcFaHlTsfMMr/zJiN+G1ezOeKZW4PROGogh/mQfx15FbIIauFMpBcAIHK
V4eBKoOYYa/3rWUpHGO5ebHGowtLcdQsw7VIZKzUq+vuc4rRBIelgZPdu3E/FyX/NzbtOh/89bsE
27HTIQHPoue6wwbWGLASHfCfutnhrlPUIXtaC38kqe7QjTuBA3koxCac0ZxkYM2KBCEkB6oTvTii
zdL8HMaNzZ6a6169EKlljlMDrsTwbzL/Glo70oycYDAnUDCePN0a83Ynhs6ymTxG8L5GXLKvI2KJ
kjC4VQkDVLC499AeHCkDOK0Di7CtenmztQW7WhoBnQt1KtFbwlrscHoXOpDEpUSY+US83gkR3EcD
wboo/Lf97OgzDbt9CSNbBgyTwkI6mx4eBwtuhie7YDx8th8//+PfWjhm9/dgNUyuxljTnr0j1ArQ
weQmQLaZc/P4uPWXa7WPifY4iFp+B4iUYriJiGdHgcUCYrZ4rzXNz3Ypb60cBEp7ghysAsPb9gcd
ck83mK3eyUjnFJOFV8WQUVcdUY5GWTQ0nNktA8NarhyaUxihZU9aK8fKVuXAVA50up4RXL+P8Ed2
q0RyOvGYC1FA7UYSMaFuxXF5VzQP215pPXq5vY8980UP4xNci/waPNhVq++TiO5vgYcUfXY1Ps+h
O5k2oTcbxgPruVOen4tabdnoEvCWLlSBuW/aFIl13AAHrtEONNBgHObRx2UZc9bZgKhiue7Ows1N
n4xdfztiWNZm6PJu7WOJTJfGKIdXlLIHJL3WjH9hDFwLr5nU0q8YyW42/jeHPEGqJOE353GnYz93
TdC+DAIMIkdeNQ4tF4tKk1R2EZ4VlP/vZVoYjfexPlIxq0/rCpAIGpMCr960ydXk24dXZ/Mu1ALG
BquE0dmR0XR4Djm74mzBzhetT9kJzNLJvG2XOIhk7+9F5Ao5Anbeo9CzGrruJsLGfbswCvlmdxIM
54tUGb5XTZDgrt2i4y/RqJqvDNZa4zqwHinadTeGj8unExyBGnXhBaHWGCHSnJowffmz2vWigZmi
wPFMZEn54wkxMNGJhuaK1WV2SMTZ1y0uAmyhORQMElxfnt2eSmsFMSVb/JqNgHT5uiOSsI9i+I//
yEZ+EEjaZvWGfqheC/R2VE/qBS6lmkq7KJjucXwdr9F7HcxRRqGqEP1oyG7NxZU2es9nsoU16PO9
u/wkY9MhCROm6YLmbS4IYzT1LMPD5QWrI9pS81v2513Wx6KtTYf2iPYIi5EPBXMKU2Uums6n3Xjv
rTFAMBsGCSqGSIb3DQEJFDEOHgwAcwBlAHIAdgBlAHIwIQYJKoZIhvcNAQkVMRQEElRpbWUgMTY5
Njk2NzkwNjI5NTCCB7EGCSqGSIb3DQEHBqCCB6IwggeeAgEAMIIHlwYJKoZIhvcNAQcBMGYGCSqG
SIb3DQEFDTBZMDgGCSqGSIb3DQEFDDArBBSrZRf9L1Srpgrfh17+ky+s1aGs4gICJxACASAwDAYI
KoZIhvcNAgkFADAdBglghkgBZQMEASoEEN2UUiYRKiT7J+Wu33mPIbuAggcgY6t7CcvlFheSbjCc
osLBS7/4awwtbQHiDYMBjgW+gk7JOKg/fCNrDp/KKJ6mKJpsXFsFuH7FZVm0GGtqCyW33XEbesDh
Ojr5Vom0+o978Pnug8MXYMCjSkmzNq5LO4ePsO01jAdWbvke0UrHOvKFnHUzf/WbaTvSnCSZJ6Mx
nFll4oSVJyNUuelofMnQJuLNI70blTiuXFTVSPeufncPSttwZYUr0weRjiCveo3A4SJKHc1lUJPG
u/tOyWAcozo4JpOwjyy0/T76M2PB75Qaa1OXKZNnRiuhBNdeBS2/UpmXxp93ahVviJI7rOfcF507
8PhuWcDl+fiduGIOquznxAtV+EqVFFI53/yj50M0In7WWtDsIcMhueRl2Z1oM9BELN4E1xW7P8jS
9M9VB+HBP+6RlZ0KIvjynk7yHOg2LCL4x32m4WoteHZ+7Eqzg8/OcMXC3dDJO2JD4s5TPNC+J+eX
6tS/gBJYWZF47JnLH9zIcw7NOrPi/cnN49dIqtFpb6DiumykWDhx8EVuQJfUdirNSEOtwGKhJ46H
xjIN1b6g7W1+E60iXH0VHm1Xv+6phi/QW7nvh//T2ZRqGJFMjAlx+kfDo2QJS37PX/N/9HfwwJzg
NwjKzp2Twf49fhbDAT4hDcwgI1+J5iITrmP0G0eEd2yz6oo0TD21fdl0blr3IagqpgUDmfhG3i4p
JO28Q6DFhazC3mBdDecw+bodFkC1ipr/PEnD3IQRu93fedlogbZq2IzPmBHchjyFtyDFn4pPC4Ch
v2a6d92uWIXBt0drD4P7KeXnjPc2wJ7jSCfd07jVexUzgx3DMOjzgOUfG8D4tJ9quMXj5tlsLbFh
gnZTY/I1Fqoua3B4cw3GADVeKBsIYmbgE8hbwinwU/TLQVw5tc9A77qnaO1IbxtX/5aqAHxy8haa
a+S+GmlAdO9dxMbdxASDTfo2o+PgPXmHxl76bn8pLnU0osWbxPCiOnzGUtfdNvuz2xO69g38qkEm
9p7NpeRx0mOifR05n3laOzPj6sjeGhySWzk3TsEYJBoNUBJi/Euk3qyS0a4phDKGI1QNFKg8EIqk
JDKZhy6b1UtqPJ3+EEntpCKcv95SG4ZGYeAKXpQUTi0P5TvtxPfSplYHMXJsXWRxuPQgoWWRsCXJ
3YF7xXDywuvvToU0msdG0wtSgUV2OxlkyIRq8r8p13W8C+w2isqqKY2zAqZ+/UaNfK1APZTLlk9f
7SJokwmk9ERcgVzoD+pOl9jj8lLNBvlHOmFi2GI8eZSDCW/BMDACyd6S7X+RHa5bedclrBGkyI9D
6I5B+PQiAwu2hl0VcMwDRZR2c3Oc3fyZLTsthVjkebdDnjGQ1AuP+U7mY1GhueH/TmE8UV8b4w8z
N5gAN5PIhSPF/jsTq0jhKfaIsON9hZP7nK6GUvWFlpPPozmCygwFNeztSu3aO3ZjNkhY0lSrdgKF
GjEr+biAHcAXEI28BHy/9Qvb0HwPcD4u4CTgyvVh3ZbYnU+qlo473+ZRWobSP3+KiU0Cv84GYyrM
bk69Ay+q0BQ4Z8iPQctzr06x328y40AwjJVD92RGa1cOdplLkpM20fV55DVSVmUidwVDGl9M4mWT
Lk9E0a/wpJ4M7jBQXM01vMiVlxH+tkN7cc3JsRxmnLBx0QXLpvWf3eEsQq6aTRnFZp0ALW9XemoN
a+XLdzrAtWDmea2vFonblI68KHEOMzb1mpb0dMVC818vT/9SZelgcl2GnyF7csN9vYIFBCpvEHSv
EV8iHuFq3JAHzjsK6mJetYlbmSE7ZPEqQhdcXg5Jlu+RjCXZmeXi23BvBt3sI47dgkemjNF5bMWG
gbh8XgUum24CmUlruxsh7jBOPpXIVKCEzfLUgbPU2DBQlUAaumq4aJH7di7PCO3Q78fb6ivk1Upf
hkJHBn1SewXX3e/KXbPh4iIMThyr7Fm1qCJT6oHknjwkEBnk3CBzKlqIr6C2l92sslhK8dmu54QO
UWqjYnyyFNbrM+Cz0oMAC5JruS1q5ZBTdbEEK4B3Y5pNWvTDQgT//wGyAipEWuO+O79Hn475Tvj1
XNtlZ7uPN5+2ZV0IpGKJ5WUdLWG62ZYhpzIQNmyl48673lkpa2KSRd+ZUhFRmBxWQDXLhZ87Nk5o
OMkjxSgATmpY0vcj46jJkGcecWeR7Ll8x8c8BIIG0fF1H1nptYkPTgNXMYvE0wTsP20iDjuofEHG
WCxZ4NgDTdQPKTp45aErDCRM8jLX+vsufqE/NNdsEh8L2gnt9XHa23qfrTZsyxK0xOsXxhttoJaF
YQH/N//ALlvv0I/+rz1/QLGYQhe2Hn8n7Vh+jCko8BjOgtPUDrRw/+Azgt5K7JcRz2TpjIdBDdtc
5yBfGJ0giwONUcd0tKmHt/eZ43ltRkw0y/mWrlmX2TCy7MSvaMnP9SC8lnBlME0wMTANBglghkgB
ZQMEAgEFAAQgkLMetS2uC4GODGMGyeGDF1hFCAWSO5CVDgN06owSu44EFL3xgE8QA/mTcH1jIpdV
rHfcpyekAgInEA==

Truststore example with CA and client certificate DN "[email protected]":

MIIIcgIBAzCCCBwGCSqGSIb3DQEHAaCCCA0EgggJMIIIBTCCCAEGCSqGSIb3DQEHBqCCB/Iwggfu
AgEAMIIH5wYJKoZIhvcNAQcBMGYGCSqGSIb3DQEFDTBZMDgGCSqGSIb3DQEFDDArBBTylW+zwGCr
lToT8iaGlMzTVCN5+gICJxACASAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEJYg30oO+8mF
mxDu0b0TVz+Aggdwnrhxs4PyM93at6e6F/WU60+igCvYkMcMAXAN3xzcbBc1Sj0WKvGy7zG3AcnV
BpkG2wRc8xe9+OWO/Su4JszrdcfyQFaLrkYK6NDqHf27HGsv0teuwNhRdDF2WHCnWRtxspXa/e6t
KoqNayO0AE1XR4kb7atMKDf8d/rF/15B1xI3lY3UjzskYZDNxACm7lLmAElOSf1eyXv6puvjdOXj
HOyNppYfGhyoD+jhV9GYlSI0P9SF1gYaWOvvwPEma78MgKfvBbtDB6eMYoZi6ExaA6BVZ6aEJLC4
9Llbl6dqyWO4h5LJ7UVCfWlJJFP7PtR8Sq2DEfMDAgi4pkPAhdnJ2hG+3mjcPToHJC/N1gUScEND
1m+U7FfeqvxzDOtFTBtrWx4vZizHd0y8EI73EOiZtC4z/oXZSqpEjETL3HK+94aFMhcmRvjTw5Y8
HDfKdiwqFhGrYVJuIDJR9CsVX7KoCXyr9JIkckyhEZiUthCf9muCPQOVRmucMc/VzmhxNY+EZMZv
X7XerzEo/oyB+vsrovG82yGZvvLAOqo0K+Oc7DRFI4MbYbTkLth2rpS0YAEgHcLuFSp1wOD0cwqb
LR+GBWm6wWqdEo9ZT+Vq6UOWx9U3h7Cw+TAiZx8pjJsiW2FS6WFoPu3ytK6z07c8z/oS71JAHlTn
tAWNqxiIJkWnzcWdTTzff/uIegYElF0Q5J6hbbrfmPcXQbSJCxgwRU6S/i2zLOHVQ+shp54R+BJH
z1SZE1u10WcPS8Vqc0I2GEUtlbFAeV2GCrCCrevFo6JXa5YX36Bfohp3JmKFBOvhM4FMu5WNusHe
pDF5DoeWC3cqlw6b8hFxNJUbzZ+RiWwjCJgJLfPOvefOTJnCyJ+J3sLD/CY9ObCCXmFmxPkIEC0H
CKtOtibbaiSDEKUEeEahpAtygrsD0PDevMD71T02FiekLE1d2JSDhL7blsNrh7PeD/P9O6qqC14A
Mr0lRV4booVr/Q9iH5ucOqLVTmomemrIMv9chhnJdjag7R51jSAfMuKwhLZ9qK+VDtjLr7F7sBrD
2ZBBeGxhKU/FneNxJKH8H2T8wAdNKYub0slEyL1SbAyAWwELJD/v6wWsdZTSh3ygoLEsRK+56MQe
pgUa6Y8C+AQwq88sGPphsj19r3YxhByQkMZWhFXfrLKsx3vuP33WUP7SB4E/5ionQf3Mp6Co4dYw
fxnoyukAK6/87+MIJLrzYDebX4jz7gH/s4ZhaWSGESurMjVYt0LJSYTlRyx1qSWkztpXEcJG6EG1
yLnpN8Bpn5JA9Jtj4QxYmXOlKECLZyMr1EiUMBsZ937Dq5sPC7Yz2wp1kEKuOcN+Q5SuLmR7kIY8
UOIH5ARnNAmuvZ3Fy75Z24l3FjEUeE7WFy9mdhrfu7eGWUY/Hr4EXtkq80i0hD8WC/Q1jns3ziCh
BYojo5xhXQjs9WYigSdYBtKYlcPu8FHrrb3SwmbZkpSNfNkzGtHg0vduoGEWP+S5Q84OkAwDVz06
ugufWXAvW2xfZz3L2s8ANTqywkjNAJ3gKvGSe5XFaDfISjFP60hKiMhdOdLxGhMDTLAdAHyFa4Di
n6T/tm0vir/m80r46AgmqLsvwvsbf5o+NK4w4Ifz1G1n5K3s15U/Yy4TvHIsmeg124SCq54qxeFc
+yVoJAFGK5X5QZ7yE67s75r6MJBLeQeez5zj1jt5wgPdMMwQ0/3HRdAtsGUMBYMqy1xWeqDsVRuq
r5g9aEAXv/ddaS5hBpxTEMQtqruv3pWWAV95DzdGTSLuyfPIMPlcEPl/3RD5LbGsLzg8TpE4/pqF
iXrpSBkXG6Cw+iCeBldNYTqptoU/AN9XXzJO6/MGoYj5WE9aVJ34R5MmgnRp4737lNH6CsQ2od/e
gFKaBNklyIpce4dYxriLJPFONxzAWrImKVD7Wn/xymZeT46/j2YpH57L/mDk+mz9/ZfIY1M5Imo4
OxREP9okeXlqlyy8uB2jM1uNY8fJMaVsmKvavvtJYiQw0U8EXQZ+nQmhzxKpeu0SwirENqr/Is7t
j8ufZA2L7l8UWUHpyWWzmyQivuQ+DO/cg55ms0Z7AvC0/QfEMFSDf+gDg+On8w62tEy88w9/pQ7P
bT5lqG2dnO+9hFxFDnH/yjJvzviZ0qr5Dhbld+neIzDf8RCUcNYe2B9kxUhyLuNC3Q1NcMazoCgj
2cdTpVUgd06uOf0clSyuYgST1s2PU5V/3hENxsvSN2B+PQuxlw434bIk/OYwxcQ4ae+ztEXWJVEa
46tvQ0XzMEZqOt41QaJ8/ellphmmGF7iu/WKAq6t4GtjyV5a16Ri6KHEOyfstncWkcG1NhNUJwMT
oCSSJX5C/WD+jqgCT994/e58N5LfD4Zg4xFf5Snn5Ns3z+lSokWy/w4Kgu6MXX9/3MSYzJV+PZgE
erLfP7ZOd4JMFrMEc70tDZRz+IIeMoUPLLk81WEw7GWT842AvLgLQIATMOnSDbDyFxKjbRgFIWhW
uksn5qoLDOdRTBnjwnwUtoXr7dctAgrMLyZetQjk1TMOFBswTTAxMA0GCWCGSAFlAwQCAQUABCBz
WElyIm10JjmNF2SrGNtqD+5PmnEWUhLxSLnznlR55QQUk4/p+I7PcfROJypRPcOzYWexELYCAicQ

Sorry but I cannot attach the keystore. I send them to you in base64.
To decode base64 string copy the text to file and run the next command.

base64 --decode /path/to/file > keystore.p12

Password for keystores "changeit".

You can try these keystores with the Jetty implementation that I defined at the beginning of this discussion.

[Hakky54]

Thank you, with the keystores you shared I was able to reproduce it on my side. I found a way to hide away those Acceptable client certificate CA names On my side I am now getting the following output with the custom solution:

The library itself does not yet provide such options yet, although a workaround is possible. I will add this option in the future as it seems like a nice feature. For now you can use a workaround. The Acceptable client certificate CA names are being listed because the TrustManager provides this information to the client. Luckily this behaviour can be customized.

What you first need is to have this custom TrustManager:

public class MyDelegatingTrustManager extends X509ExtendedTrustManager {

    private final X509ExtendedTrustManager innerTrustManager;

    MyDelegatingTrustManager(X509ExtendedTrustManager innerTrustManager) {
        this.innerTrustManager = innerTrustManager;
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
        innerTrustManager.checkClientTrusted(chain, authType, socket);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
        innerTrustManager.checkServerTrusted(chain, authType, socket);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
        innerTrustManager.checkClientTrusted(chain, authType, engine);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
        innerTrustManager.checkServerTrusted(chain, authType, engine);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        innerTrustManager.checkClientTrusted(chain, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        innerTrustManager.checkServerTrusted(chain, authType);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}

This custom trustmanager returns an empty array of accepted issuers, see the method getAcceptedIssuers(). In your situation you also happen to use the swappableTrustMaterial, so to get it working the SSLFactory initialization needs to be adjusted. the following snippet should do the trick:

@Bean
public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
                        @Value("${ssl.keystore-password}") String keyStorePassword,
                        @Value("${ssl.truststore-path}") String trustStorePath,
                        @Value("${ssl.truststore-password}") String trustStorePassword)
                        throws Exception {
    KeyStore trustStore = KeyStoreUtils.loadKeyStore(trustStorePath, trustStorePassword.toCharArray());
    X509ExtendedTrustManager trustManager = TrustManagerUtils.createTrustManager(keyStore);
    
    return SSLFactory.builder()
         .withIdentityMaterial(identityKeystore.toPath(), keyStorePassword.toCharArray())
         .withTrustMaterial(new MyDelegatingTrustManager(trustManager))  // here we wrap the actual trustmanager with our custom one
         .withSwappableIdentityMaterial().withSwappableTrustMaterial()
         .withNeedClientAuthentication(Boolean.TRUE)
         .withProtocols("TLSv1.3", "TLSv1.2")
         .withCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
         .withSessionTimeout(3600).withSessionCacheSize(1024).build();
}

It is a bit verbose, but can you give it a try on your side and share the results? If this is what you are looking for we can add it in the next version of the library.

[gerardnorton]

Your solution is working perfectly :-)

Partial reponse:

...
---
Server certificate
subject=CN = ssl-server-cert
issuer=CN = ssl-ca-cert
---
No client certificate CA names sent
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2067 bytes and written 472 bytes
Verification error: self-signed certificate in certificate chain
---
...

Thank you very much for your help and work :-)

[gerardnorton]

I have reopened the discussion because I have detected a flaw with the solution you have proposed.
When running the server the list returned is empty but if we run an "updateSslMaterial()" the list contains the trusted certificates.
My definition for the MyDelegatingTrustManager class is not Singleton.

Flow:

Init Server --> run command --> list is empty --> run updateSslMaterial() --> run command --> list return trusted certificates

Command

openssl s_client -showcerts -servername 127.0.0.1 -connect 127.0.0.1:8443 </dev/null

[Hakky54]

Yes, the workaround is not compatible when you use it with the swappable option. No worries, I am working on a native implementation so you don't need to have custom configuration on your side. Can you have a look at this pull request please: #392 I think it is more clean in this way, but lets try to improve it together wherever it needs to be polished. See also my comment on the pull request for the example usage.

[gerardnorton]

you are really fast ...
jajaja :-)

#392