Jetty Mutual TLS身份验证未找到客户端证书
[英]Jetty Mutual TLS auth not finding the client certificate
问题描述
I have a client instance running on jetty server. 
我有一个在码头服务器上运行的客户端实例。 I have my own CA certificate loaded and working on both server and the client. 我已经加载了自己的CA证书,并且可以在服务器和客户端上使用。 When i send the certificate request during the handshake, I have to specify the full issuer DN for the client certificate, otherwise the client fails to find the needed certificate. 在握手期间发送证书请求时,我必须为客户端证书指定完整的颁发者DN,否则客户端无法找到所需的证书。 But I want to use only the CN of the CA in the request. 但是我只想在请求中使用CA的CN。
If I send 如果我发送
*** CertificateRequest
Cert Types: ECDSA
Supported Signature Algorithms: SHA256withECDSA
Cert Authorities:
<C=IT, O=ORGNAME, OU=OUNAME, CN=TEST_CA>
The server sends the correct certificate and the authentication succeeds, however, I want to only specify the CN of the CA I want. 服务器发送正确的证书,并且身份验证成功,但是,我只想指定所需CA的CN。 ie 即
*** CertificateRequest
Cert Types: ECDSA
Supported Signature Algorithms: SHA256withECDSA
Cert Authorities:
<CN=TEST_CA>
Using the above request, the server fails to find a valid client cert and proceeds to send an empty cert chain and the authentication fails 使用以上请求,服务器无法找到有效的客户端证书,并继续发送空证书链,并且身份验证失败
1 个解决方案
解决方案1
0 已采纳 2018-06-28 12:13:36
After digging deeper into the TLS RFC 5246 , the specification says you need to supply Distinguished Name(s), while I was trying to supply a Relative Distinguished Name (ie only one of the fields) DN vs RDN 在深入研究TLS RFC 5246之后 ,规范说您需要提供专有名称,而我试图提供DN与RDN的相对专有名称(即,仅一个字段)。
Seems like what i wanted to do is not possible according to the RFC. 似乎我想做的事情是不可能的,根据RFC。 Hope it helps someone who comes across this. 希望它对遇到此问题的人有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.