felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.W. Janssen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates
Date Tue, 17 Feb 2015 14:12:12 GMT

    [ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14324208#comment-14324208

J.W. Janssen commented on FELIX-4797:

[~pascal.mainini]: not sure what you are trying to solve exactly here: by simply trusting
*any* certificate that the client provides without any validation, you basically are very
much susceptible to MitM attacks, not?

> Enable client certificate requesting without verifying the certificates
> -----------------------------------------------------------------------
>                 Key: FELIX-4797
>                 URL: https://issues.apache.org/jira/browse/FELIX-4797
>             Project: Felix
>          Issue Type: Improvement
>          Components: HTTP Service
>            Reporter: Pascal Mainini
>            Priority: Minor
>              Labels: patch
>         Attachments: 0001-Patch-enabling-client-certificate-authentication-wit.patch
> This is a patch enabling requesting client certificate authentication without further
validation of the certificates provided by the client. Rationale:
> Enabling requests of client certificates by setting "org.apache.felix.https.clientcertificate"
to "wants" or "needs" requests a client-certificate from any connecting client. Depending
on the value set, this is either an optional or mandatory step to be fulfilled by the client
in order to have it's HTTP-request further processed. 
> The client-certificate obtained is validated against either the CA-certificates found
in the truststore or - if none given - by the server's certificate itself.
> For some usecases, this validation is unsuitable or not possible at all, namely for supporting
WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within
the container. 

This message was sent by Atlassian JIRA

View raw message