Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable "Acceptable client certificate CA names" on MTLS client connect. #391

Closed
Hakky54 opened this issue Oct 11, 2023 Discussed in #389 · 0 comments · Fixed by #392
Closed

Disable "Acceptable client certificate CA names" on MTLS client connect. #391

Hakky54 opened this issue Oct 11, 2023 Discussed in #389 · 0 comments · Fixed by #392

Comments

@Hakky54
Copy link
Owner

Hakky54 commented Oct 11, 2023

Discussed in #389

Originally posted by gerardnorton October 10, 2023
In MTLS configuration, by default, all allowed clients CN are returned when a client initializes an SSL communication. This can lead to many security risks and information leaks.

This is my server implementation:

@Bean
public ConfigurableServletWebServerFactory webServerFactory(
                        SslContextFactory.Server sslContextFactory,
                        @Value("${server.port}") int serverPort) {
     JettyServletWebServerFactory factory = new JettyServletWebServerFactory();
     JettyServerCustomizer jettyServerCustomizer = server -> {
          ServerConnector serverConnector = new ServerConnector(server, sslContextFactory);
          serverConnector.setPort(serverPort);
          server.setConnectors(new Connector[] {serverConnector});
     };
     factory.setServerCustomizers(Collections.singletonList(jettyServerCustomizer));
     return factory;
}

@Bean
public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
                        @Value("${ssl.keystore-password}") String keyStorePassword,
                        @Value("${ssl.truststore-path}") String trustStorePath,
                        @Value("${ssl.truststore-password}") String trustStorePassword)
                        throws Exception {
    ...
    return SSLFactory.builder()
         .withIdentityMaterial(identityKeystore.toPath(), keyStorePassword.toCharArray())
         .withTrustMaterial(identityTruststore.toPath(),   trustStorePassword.toCharArray())
         .withSwappableIdentityMaterial().withSwappableTrustMaterial()
         .withNeedClientAuthentication(Boolean.TRUE)
         .withProtocols("TLSv1.3", "TLSv1.2")
         .withCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
         .withSessionTimeout(3600).withSessionCacheSize(1024).build();
}

@Bean
public SslContextFactory.Server sslContextFactory(SSLFactory sslFactory) {
         return JettySslUtils.forServer(sslFactory);
}

Command to check issue:

openssl s_client -showcerts -servername 127.0.0.1 -connect 127.0.0.1:8443 </dev/nul

Partial reponse:

Server certificate
subject=CN = ssl-server-cert
issuer=CN = ssl-ca-cert

Acceptable client certificate CA names
CN = ssl-ca-cert
CN = [email protected]
CN = [email protected]
CN = [email protected]
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 2228 bytes and written 472 bytes
Verification error: self-signed certificate in certificate chain

How can I disable the response of allowed clients in the truststore file?

Best regards :-)
@Hakky54 Hakky54 linked a pull request Oct 12, 2023 that will close this issue
Added capability to conceal trusted certificates #392
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added capability to conceal trusted certificates Hakky54/sslcontext-kickstart
1 participant
@Hakky54