felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Gmür (JIRA) <j...@apache.org>
Subject [jira] [Updated] (FELIX-4797) Enable client certificate requesting without verifying the certificates
Date Tue, 17 Mar 2015 15:51:38 GMT

     [ https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Reto Gmür updated FELIX-4797:
    Attachment: enabling-sslContext-services.patch

A simple patch to allow injection of an SSLContext by providing it as a service. As the discussion
at http://mail-archives.apache.org/mod_mbox/felix-dev/201503.mbx/%3CE60B1816-032F-4F11-9345-171FB06E92C4@luminis.eu%3E
indicates a preference for configurability via services rather than just the risky option
to disable validation all together. With this patch it is left to another bundle to provide
an SSLContext that disables certificate validation.

> Enable client certificate requesting without verifying the certificates
> -----------------------------------------------------------------------
>                 Key: FELIX-4797
>                 URL: https://issues.apache.org/jira/browse/FELIX-4797
>             Project: Felix
>          Issue Type: Improvement
>          Components: HTTP Service
>            Reporter: Pascal Mainini
>            Priority: Minor
>              Labels: patch
>         Attachments: 0001-Patch-enabling-client-certificate-authentication-wit.patch,
> This is a patch enabling requesting client certificate authentication without further
validation of the certificates provided by the client. Rationale:
> Enabling requests of client certificates by setting "org.apache.felix.https.clientcertificate"
to "wants" or "needs" requests a client-certificate from any connecting client. Depending
on the value set, this is either an optional or mandatory step to be fulfilled by the client
in order to have it's HTTP-request further processed. 
> The client-certificate obtained is validated against either the CA-certificates found
in the truststore or - if none given - by the server's certificate itself.
> For some usecases, this validation is unsuitable or not possible at all, namely for supporting
WebID-style (https://en.wikipedia.org/wiki/WebID) authorization processed by a servlet within
the container. 

This message was sent by Atlassian JIRA

View raw message