-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jetty 11 WebSocket Client: SSL/TLS authentication using client certificate #8085
Comments
Your code is correct. If you can reproduce the case, can you enable DEBUG logs on the server, so we can understand why the request failed? |
These are the debug logs https://gist.github.com/manusa/9d4ed942d96909c17c26169589bcaf60, line 395 has the forbidden response. For some additional context, the endpoint I'm trying to connect is |
You linked the client logs. Need the server logs to understand why the server had a TLS failure. |
Oh, sorry, I missed the I don't have access to the server logs. This is a Minikube Kubernetes server The thing is that for the HttpClient, this authentication works and the server accepts the client's requests. However, the same doesn't for the WebSocketClient. The SSL connection is established, but then the request fails with the mentioned 403 Forbidden status. As I said, my suspicion is that for some reason the client certificate is not used for authentication in this case. |
@manusa it could well be that the server is configured differently, because the client is configured the same. Jetty does not do much with respect to TLS, it just delegates to the JDK, so I doubt that "for some reason the client certificate is not used for authentication in this case" due to client problems -- I would concentrate on the server configuration first. |
The thing is that the same procedures work both with the OkHttp client, and the JDK (11+) HttpClient. Maybe we're missing an extra-header that those clients add automatically, or something else 🤷. I'm 90% certain that this has to do with the authentication procedure, since SSL works when no client certificate is required for authentication. The problem is that debugging this is really hard due to the TLS layer (tried wiresharking, but was unable to setup the decryption keys). |
You can use Also, it may not be a TLS issue at all, maybe just a WebSocket issue. TLS is fine, but for some reason the server does not like the WebSocket upgrade. |
Maybe this is not clear (or I'm not following). The server is a Kubernetes server (more specifically a Minikube instance), this flag is not applicable. |
I don't know how to help you more if you don't get something from the server. How do you know that OkHttp and JDK's How do you configure the server to require client certificates? So far nothing points to Jetty. How do you setup the client KeyStore with the certificates? Is the client certificate properly signed? Is the server setup correctly do verify the client certificates? Have you tried to not force TLS 1.2? |
Our project is based on OkHttp and we're now providing additional client implementations. We thought that the native Jdk HttpClient and Jetty would be good choices. I'm thinking that that the http-to-ws URI protocol flipping we do to avoid the Jetty websocket connect check might have something to do (this is reversed in the JDK implementation when performing the handshake). (Update: I prevented the check in a debug session and the result is still NOT OK with an
I don't, this is part of Minikube, the initial user Minikube creates can authenticate with some certificates.
This is a complex procedure, but as I said, same thing works for OkHttp and JDK. The relevant part to Jetty is how we setup the
As I said, without TLS it does work, and with TLS and no authentication, it works too. The problem is just when a client certificate is required for authentication. |
I think I managed to solve the issue. Thanks for your help and involvement @sbordet 🙌 The WebSocket upgrade request is missing the I'll add more details and close the issue once I'm sure everything works. |
As usual in this cases, the problem exists between keyboard and chair. We're adding the Origin header ourselves, but I was not propagating them to the Thanks again for your help! |
Jetty version: 11.0.9
Java version: 11.0.10
Question
I'm working on an HTTPClient implementation for Fabric8 Kubernetes Client based on Eclipse Jetty.
You can check the work in progress in the following PR: fabric8io/kubernetes-client#4180
This implementation requires both, the jetty-client and the jetty-websocket-client.
To set up SSL support for both clients I'm using the following snippet:
This code works fine in both clients(HTTP and websocket) when just dealing with the TLS transport layer.
The HTTP client works fine when a client certificate is used for authentication too. However, when using the websocket client using the client certificate, we get an Upgrade Exception with a Forbidden status code.
I'm not sure if there might be an issue with our configuration, or this might be a bug.
The text was updated successfully, but these errors were encountered: