stackoom
  简体   繁体   中英

Two Way SSL with Jetty and Null Cipher

 原文  2012-07-28 01:07:16       java/ encryption/ ssl/ jetty

Question

I have an application running in Jetty. In front of it, I have a load balancer. The requirement is to have SSL decryption done by the load balancer while the web container does only SSL client authentication.

The theory is that the load balancer is very efficient at decrypting the content and can do that and pass it in plain to the web container.

Any idea how this can be achieved?

1 answers

solution1
 6 ACCPTED  2012-07-28 01:49:18

It's not clear what you mean by "Null Cipher" in your title. There are 3 possible candidates : TLS_NULL_WITH_NULL_NULL , TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA . The first one doesn't perform any authentication, none of them offer any encryption. They're certainly useless for your objective. Use normal cipher suites (with both authentication and encryption) between the browser and the load-balancer. Encryption between the load-balancer and the worker nodes is generally optional, and only required if you don't trust the network where they site (this would be a completely different SSL/TLS connection anyway and have nothing to do with the client-certificate authentication done by the end browser).

Only the SSL/TLS server can request (and verify) client-certificate authentication. In this case this will be the load balancer.

If you want to have your SSL/TLS traffic handled by your load balancer, it should verify the certificate (presumably against a CA you have configured), and then relay the certificate information to the worker nodes.

How you do this will depend on the load-balancer. If it's an Apache Httpd server, mod_proxy_ajp will relay the client certificate via the AJP protocol ( SSLOptions +ExportCertData +StdEnvVars ). mod_jk is also able to relay the full client-certificate chain if needed ( JkOptions +ForwardSSLCertChain ).

If you want to use mod_proxy_http , a trick is to pass the certificate via an HTTP header ( mod_header ), using something like RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s . You should make sure this header is cleared if it comes from the client's browser (who could forge it otherwise). In this case, you'll need to write a filter as part of your Jetty server to handle that header an place it into the javax.servlet.request.X509Certificate HttpServletRequest attribute (it should be an array of X509Certificate ). After this, you should be more or less at the same stage as what you would have with AJP. This may also work with other load balancers if they're capable of populating an HTTP header in a similar way.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL_NULL_WITH_NULL_NULL cipher suite in in Jetty logs Jetty WebSockets ssl == null error ERR_SSL_VERSION_OR_CIPHER_MISMATCH In camel Jetty websockets Jetty "javax.net.ssl.SSLHandshakeException: no cipher suites in common" Two way SSL handshake failed (javax.net.ssl.SSLHandshakeException) after CertificateVerify step, while changing to the newly established cipher suite Is there a way to make Jetty use SSL with java Code Jetty - Any way to configure order of SSL ciphers? jetty ssl with client-auth throws null cert exception Two way ssl in tomcat "No cipher suites in common” error in Jetty
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM