2

I stuck with an issue where I want to validate crl. I already have a keystore at ${karaf.home}/etc/keystores and would like just to add a crl(CertificateRevocation list) How to do that? Here's my org.ops4j.pax.web.cfg:

    org.osgi.service.http.port=8030

    org.osgi.service.http.port.secure=9000
    org.osgi.service.http.secure.enabled=true
    org.ops4j.pax.web.ssl.keystore=./etc/keystores/keystore.jks
    org.ops4j.pax.web.ssl.password=password
    org.ops4j.pax.web.ssl.keypassword=password
    
    org.ops4j.pax.web.config.file=${karaf.home}/etc/jetty.xml
    org.ops4j.pax.web.ssl.truststore=${karaf.base}/etc/keystores/client.jks
    org.ops4j.pax.web.ssl.truststore.password=password
    org.ops4j.pax.web.ssl.truststore.type=JKS

Here's my jetty.xml:

    <Configure id="Server" class="org.eclipse.jetty.server.Server">
     <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystores/keystore.jks</Set>
        <Set name="KeyStorePassword">password</Set>
        <Set name="KeyManagerPassword">secretpass</Set>
        <Set name="TrustStorePath"><Property name="jetty.home" default="." />/etc/keystores/client.jks</Set>
        <Set name="TrustStorePassword">password</Set>
        <Set name="CrlPath"><Property name="jetty.home" default="." />/etc/keystores/test-cer-.crl</Set>
        <Set name="NeedClientAuth">true</Set> 
      </New>
      <Call name="addConnector">
        <Arg>
          <New class="org.eclipse.jetty.server.ServerConnector">
            <Arg name="server">
              <Ref refid="Server" />
            </Arg>
            <Arg name="factories">
              <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item>
                  <New class="org.eclipse.jetty.server.SslConnectionFactory">
                    <Arg name="next">http/1.1</Arg>
                    <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
                  </New>
                </Item>
                <Item>
                  <New class="org.eclipse.jetty.server.HttpConnectionFactory"></New>
                </Item>
              </Array>
            </Arg>
            <Set name="host">
              <Property name="jetty.host" default="0.0.0.0" />
            </Set>
            <Set name="port">
              <Property name="jetty.port" default="14000" />
            </Set>
            <Set name="idleTimeout">
              <Property name="http.timeout" default="30000" />
            </Set>
            <Set name="name">restConnector:14000</Set>
          </New>
        </Arg>
      </Call>

But when I try to open https://localhost:14000/ in my browser I get Secure Connection Failed error. means I end up with an error where Jetty tries to validate the subject alternative name of the client certificate. And of course there is none,I was not able to figure out how to disable this client hostname validation.it works fine with port 9000.

Do I miss something in the jetty configuration? Any help will be appreciated. OR is there any other way to do it?

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
Katja
  • 131
  • 1
  • 6
  • What version of Jetty? and what version of Java? and what TLS level are you wanting to use? (it matters) – Joakim Erdfelt Feb 07 '22 at 11:46
  • @JoakimErdfelt am using java 11.0.8 and jetty version 2.0. for TLS no specific level – Katja Feb 09 '22 at 08:12
  • Those versions don't make sense. Jetty 11.x is not supported by Karaf due to the jakarta big bang namespace change (see https://stackoverflow.com/a/66368511/775715), and Jetty 2.x does not support Karaf due to it being pre-servlet support. Karaf 4.3.x requires Servlet 3.1, so you are stuck with Jetty 9.x – Joakim Erdfelt Feb 09 '22 at 15:52
  • @JoakimErdfelt my karaf version is 4.2.7 and jetty is 9? so how can I fix it? – Katja Feb 11 '22 at 09:12

0 Answers0