1

I am trying to set up MTLS on a Jetty Server. From the documentation I have seen typically the server certificate is set up such as this

 SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
 sslContextFactory.setKeyStorePath("/Users/name/Downloads/server.jks");
 sslContextFactory.setKeyStorePassword("changeit");
 
 sslContextFactory.setTrustStorePath("/Users/name/Downloads/server_truststore.jks");
 sslContextFactory.setTrustStorePassword("changeit");
 sslContextFactory.setNeedClientAuth(true);

However, I want to have different server certificates to validate against depending on which device sent the client certificate? What settings do i need to change, or classes can I override to dynamically validate certificates?

Lizzard28
  • 53
  • 4

1 Answers1

2

You'll have to download it and then configure your SslContextFactory.Server to use the local copy.

This is a Java SSL engine limitation.

Use the prior answer on how to download a file from Amazon S3 ... https://stackoverflow.com/a/28569038/775715

For mTLS, just set the SslContextFactory.Server features you want to use for your set of features.

The behavior is standard Java JVM behavior, Jetty does very little here (Jetty only configures the JVM SSLEngine and SSLParameters objects, and handles host/alias matching if using SNI), all of the mTLS behaviors are baked into the JVM.

Everything from this point forward is standard Java behaviors of Client Auth, and Server Keystore/Truststore, there is nothing unique or special about Jetty. It's all a matter of configuring your Keystore/Truststore and issuing valid client certificates from those stores.

If you want multiple server certificates, go for, that's supported by the keystore / truststore.

If you want the client to validate against different server certificates, then the client needs to use the appropriate combination of server hostname and SNI information (this is an extremely common TLS extension).

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
  • What if I have a requirement to dynamically validate the certificates. For example, grab a certificate based on a deviceId that is sent in. Is this possible? – Lizzard28 Mar 07 '22 at 19:04
  • Once the Server is started, the TLS layer is also started by Java. Not possible to change the TLS layer without either restarting the Java SSLEngine or the Jetty server, requiring a new incoming connection to see the change. Perhaps you are wanting mTLS instead? – Joakim Erdfelt Mar 07 '22 at 19:12
  • Yes I do want MTLS, apologies for the confusion, it is in the title, but maybe the code I am implementing is not specific for MTLS. Do you have any guidance on Dynamic validation for MTLS in Java/Jetty? Or I can use a different server such as Tomcat if you recommend that? – Lizzard28 Mar 07 '22 at 19:31
  • Updated answer about JVM need/want of clientAuth (what the server side mTLS is all about). – Joakim Erdfelt Mar 07 '22 at 19:45
  • Ok yes, but how in java/jetty would i compare it against dynamic certificates? All of the examples are similar to the one I showed above where it looks for a single certificate. Is there a setting I can use, or a class I can override to grab a certificate based on a deviceId that was sent in? Also, most examples I see utilize jetty's SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory) – Lizzard28 Mar 07 '22 at 19:56
  • 1
    mTLS is based solely on client certificates (that your server CA issued) talking to a server configured to authenticate from those client certificates. "deviceId" and all of that is out of scope. With Java mTLS you are not involved in the validation, you only know what was validated, and at that point you can use the post-validated client certificate to obtain more information about the client (assuming you have a database of client certificate to client details, like id) – Joakim Erdfelt Mar 07 '22 at 20:54
  • First thank you for taking the time and effort to talk through this with me Joakim. It sounds like what you are saying is that, if I want my clients to have different certificates, then for the MTLS portion my client certificates need to validate against a single server certificate. After that, maybe in some kind of ServletHandler, I can further validate that certificate based on deviceId? – Lizzard28 Mar 07 '22 at 21:18
  • For post-TLS, and a successful client auth, you can use the following in Servlet to obtain the certificate chain ... https://stackoverflow.com/questions/20056304/in-the-jetty-server-how-can-i-obtain-the-client-certificate-used-when-client-aut – Joakim Erdfelt Mar 07 '22 at 21:46