I set up an FTPS server with Apache MINA in which clients cients authenticate via user/password. I now want to force clients to authenticate via an SSL certificate, but I could not find instructions nor examples for this. Anyone can help?
Got it:
ListenerFactory factory = new ListenerFactory();
SslConfigurationFactory ssl = new SslConfigurationFactory();
ssl.setClientAuthentication("true");
ssl.setTruststoreFile(new File("trust.jks"));
ssl.setTruststorePassword("trust-password");
ssl.setKeystoreFile(new File("certs.jks"));
ssl.setKeystorePassword("certs-password");
factory.setSslConfiguration(ssl.createSslConfiguration());
factory.setImplicitSsl(true);
The server will force clients to connect using a certificate, and will only accept those included in trust.jks.
Related
I have set the setting in cloudflare ssl/tls to Full (strict), but my server is connecting even with a self certificate. Why is this? My server is configured with Apache.
I want to prevent access to servers with self certificates.
If you set ssl/tls to Full, you will force CF to redirect traffic over ssl/tls. If your server is using a self-signed certificate you will need to upload a valid cert.
To avoid direct access, you need to set up authentication origin pull:
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/explanation/
so that all traffic is evaluated before receiving a response from your server.
If you want your server to stop using self-signed certs, you can download a valid one from CF, and load it:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
I'd like to authenticate my clients using SSL client certs, but just for some urls within an application? So I'd like:
site1/url1 does not ask for client certificate
site1/url2 requires that the client is using a valid client cert
With Apache you can do it with SSLClientVerify, but this option does not work with IHS. I have checked some URLs, but none of them answers my problem.
https://developer.ibm.com/answers/questions/246111/ihs-ssl-mutual-authentication-for-only-some-pages.html
Any clue?
Thanks.
It was not possible to do it with IHS, I changed it to Apache.
When a Meteor client uses DDP.connect() to connect to a DDP server, it's sent in plaintext. How can we establish SSL encrypted DDP connections?
Meteor relays on SockJs, according to SocksJs README: From SockJS' point of view there is nothing special about SSL/HTTPS. Connecting between unencrypted and encrypted sites should work just fine.
My code:
var connection = DDP.connect("ws://127.0.0.1:3000");
If you switch from ws to wss (WebSocket Secure), if the host supports ssl, it will be used. In my localhost, I don't ssl installed and It doesn't fallback to ´ws´, you've to manually code it if you want so.
I have created a test environment. I have one ldap client, ldap listener (as a ldap proxy) and a ldap server. Ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy decodes the ldap requests and forwards them to the ldap server on port 389. And the proxy forwards the reply of the ldap server to ldap client successfully.
I created SSL certificate on ldap server. And this time I tested that ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy forwarded requests to the ldap server on port 636. And the proxy forwards the reply of the ldap server to ldap client successfully.
But there is a problem when I try to use SSL on both sides. I mean
ldap client (port 636) -> ldap proxy (port 636) -> ldap server (port
636)
My client throws an exception
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
I am using unboundid ldap sdk and LdapDebugger example as a ldap proxy. How can I configure ldaplistener to accept SSL encrypted requests(port 636)?
thanks in advance...
If you're using the ldap-debugger tool provided with the LDAP SDK, it currently only supports SSL for communicating with the backend server, but not when communicating with a client. That is, the "--useSSL" option applies only for communication between the LDAP debugger and the backend directory server, and not between the client and the LDAP debugger. However, because this is potentially a very useful feature, I have just committed a set of changes that add this capability, so if you check out and build the latest version of the LDAP SDK, you will find that the ldap-debugger tool has a new "--listenUsingSSL" argument that controls this.
Note that regardless of whether you're using the ldap-debugger tool or you have created your own listener via Java code, you need to ensure that you have a Java keystore that contains the SSL certificate that will be presented to clients. If the LDAP server you're using is Java-based (e.g., the in-memory directory server provided with the LDAP SDK), then you probably already have this. Otherwise, you'll need to create one. If you're just doing this for testing purposes, a self-signed certificate should be just fine (as long as the client trusts it, or is configured to blindly trust all certificates).
I am using jboss as the server and my java program as the client, I have modified the server.xml file in jboss to send certificate from server to the client. this happens automatically, when the requesting client has the same domain as the domain in the server keystore.
But I want the jboss server to validate the client certificate also. How can I send the client certificate to jboss and receive it in jboss?
You are trying to achieve a two way ssl so lookup "jboss two way ssl".
The steps would be similar to setting up ssl on the server ; the only difference would be that you would need to import the client cert into the server truststore (assuming the client cert is self-signed).