Geek Answers Handbook

Forcing an SSL client to send a certificate

I am trying to write a client (the middleware is actually a client for the entity, but also acts as a server for others). In his client capacity, it is supposed to talk with another server (VMware VirtualCenter) and ask him to do something on his behalf.

To provide you more context, VirtualCenter allows the application to register as an extension. The specified application can register its certificate at the time of registration ( setCertificate ). After that, the application can log into VirtualCenter using its certificate ( loginExtensionByCertificate () ) and, therefore, it is not necessary to store the username and password. However, for this, the client (my application) must send the certificate as part of its SSL connection, although the server (VirtualCenter) does not request it especially.

I am writing my application with Java. Created my own key manager, connected it to my keystore and specified an alias to use. Then initialized my ssl context to use this key manager. In the created sockets, I see that their SSLContext has my key manager. However, I do not see any of the key managers receiving a certificate. For some reason, the socket does not consider that it needs to send a certificate.

I understand that the server may ask the client to submit its certificate. In this case, this does not happen. What I'm wondering is there a way to get the created socket to present the certificate regardless of whether the server requests it.

+5
source share
5 answers

, , ( ) SSL-, (VirtualCenter)

. , SSL. , , , .

- . 100% , ? , , ? , , .

+2

, . . TLS Spec. - (RFC 4346, 7.4.6):

, . , .

, .

EDIT: , , keymanager/keystore . , , , Java SSL-?

+4

VMware VC SSL- , VC. , .

, SSL/Java, VMware ( SSL...).

, : Java HTTPS/SSL

0

, . , VMware . .

WireShark, ( ) . VirtualCenter (VC) , . , .

:

  • URL- https://: ( , , ).

  • . https SSLSocketFactory. factory public Socket createSocket(Socket s, String host, int port, boolean autoClose), SSLSocket .

:

@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose)
    throws IOException {
    s.setKeepAlive(true);
    String connectReq = "CONNECT /sdkTunnel HTTP/1.1\r\n\r\n";
    OutputStreamWriter writer = new OutputStreamWriter(socket.getOutputStream());
    writer.write(connectReq, 0, connectReq.length());
    writer.flush();
    // In this initial response, all that matters is the http code. If
    // it is 200, the rest can be ignored.
    READ_AND_VERIFY_INITIAL_RESPONSE();
    SSLSocket sock = (SSLSocket) origSslSockFactory
        .createSocket(s, s.getInetAddress().getHostName(), s.getPort(), true);
    // Depending on whether the caller actually does the handshake
    // or not, you may need to call handshake here. In my case, I
    // did not need to, since HTTPClient I am using calls the
    // handshake. Axis does not call, so you may have to in that
    // case.

    // sock.startHandshake();
    return sock;
}

origSslSockFactory SSLSocketFactory, . sun.security.ssl.SSLSocketFactoryImpl.

ExtensionManager.setExtensionCertificate(). SessionManager.loginExtensionByCertificate() .

, , , .

0
source

When vCenter is installed, it uses a reverse proxy server on port 443, which forwards HTTP requests to the actual service. The proxy server never requests a client certificate and it will not be able to forward it.

Try to find the actual port on which the service is running, and connect to it.

0
source

More articles:


All Articles