1

I am building a sever application using java 8 and spring boot and it is deployed in tomcat 8. This application is invoked from another application only, and not from any browser. So two-way SSL handshake is implemented for security reasons.

Two-way SSL is implemented and I am aware of forcing the Host name verification when acting as a SSL client. Hostname verification should be enabled at SSL server end also. Is there any implementation similar to strict hostname verification when acting as SSL server.

The server should do a host name verification from SSL certificate provided by the client against the client IP address available in the request object. 

    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(

            sslcontext, new String[] { "TLSv1.2" }, null, SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);

    return HttpClients.custom().setSSLSocketFactory(sslsf).build();

I am using Apache http client and able to force STRICT_HOSTNAME_VERIFIER when acting as SSL client.

I am not getting any pointer to do the same kind of check when acting as a SSL Server. Even if the SSL client certificate has a different hostname than the client-server it is requesting from, the SSL handshake is passing without any failure. Is there a way to enable strict host name verifier from the SSL server point f view using java security.

I am using the below configuration in tomcat 

<Connector  port="9443"  protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
                            maxThreads="100" minSpareThreads="10" maxConnections="1000" scheme="https" secure="true"
                            keystoreFile="conf/jks/SSL_Server.jks" keystorePass="Password" keystoreType="jks"
                            truststoreFile="conf/jks/TrustStore.jks" truststorePass="PasswordTrust" truststoreType="jks"
                            clientAuth="true" sslProtocol="TLSv1.2" />
Manu
  • 1,379
  • 6
  • 24
  • 53
  • Reading the updated question, I deleted the previous answer. – pedrofb Jan 09 '17 at 15:42
  • In two-ways SSL, during handshake you can validate that the certificate presented by user is issued by a CA in your truststore. Some servers also allow to validate some attributes of the certificate like CN. But handshake will not validate the IP of the request with the hostname of the certificate. Alternative: extract the X509Certificate sent by client and validate yourself with a filter – pedrofb Jan 09 '17 at 15:45
  • Thanks for the suggestion..I am using tomcat server for the application. I am able to check this in the application layer from the client certificate. But i want to do this in the SSL stack, and in my case tomcat+java, since tomcat uses SUNJSEE implementation.I am able to work out the check i have to do from the X509Certificate, but unable to plugin to the SSL stack... If you have any pointers to adding a filter to do additional checks when acting as SSL server, it will be very useful... – Manu Jan 10 '17 at 12:14
  • Get `X509certificate` from `HttpServletRequest` See http://stackoverflow.com/questions/11945013/read-out-incoming-certificate-in-tomcat and add a standard J2EE filter before your web app be called and abort request if certificate is not suitable. See https://www.tutorialspoint.com/servlets/servlets-writing-filters.htm – pedrofb Jan 11 '17 at 18:28

0 Answers0