Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Support custom client certificates for Mutual Auth
See original GitHub issueI want to use my own client certs to test a service which uses Mutual Auth. So instead of only passing in the protocol, it would be neat to also specify a truststore + password. Something like this:
* configure ssl = { trustStore: 'classpath:security/trustStore.jks', password: 'secret', algorithm: 'TLSv1.2' }
or with a default jasypt encryption:
* configure ssl = { trustStore: 'classpath:security/trustStore.jks', password: 'ENC(ZqRBcxftoCD33dUPHX0liHvNH5xdfrUCmGw=)', algorithm: 'TLSv1.2' }
Currently in com.intuit.karate.http.HttpUtils:
public static SSLContext getSslContext(String algorithm) {
TrustManager[] certs = new TrustManager[]{new LenientTrustManager()};
SSLContext ctx = null;
if (algorithm == null) {
algorithm = "TLS";
}
try {
ctx = SSLContext.getInstance(algorithm);
ctx.init(null, certs, new SecureRandom());
} catch (Exception e) {
throw new RuntimeException(e);
}
return ctx;
}
Retrieve SslContext with custom client cert(s):
public static SSLContext getSslContext(URL trustStoreURL, char[] password, String algorithm) {
SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
try {
sslContextBuilder.loadTrustMaterial(trustStoreURL, password);
sslContextBuilder.useProtocol(algorithm);
return sslContextBuilder.build();
} catch (GeneralSecurityException | IOException e) {
throw new IllegalStateException("Error while creating SslContext", e);
}
}
Issue Analytics
- State:
- Created 6 years ago
- Comments:38 (20 by maintainers)
Top Results From Across the Web
Configuring mutual TLS authentication for a REST API
To access an API by using a custom domain name that has mutual TLS enabled, clients must present certificates that you trust in...
Read more >Configure TLS mutual authentication - Azure App Service
Learn how to authenticated client certificates on TLS. Azure App Service can make the client certificate available to the app code for ...
Read more >Configure Client Certificate Support | Imperva
Configure client certificate support settings for a website on the website-level Client to Imperva (mTLS) Certificates page, under Configuration Settings.
Read more >Client Certificate Authentication - text/plain
To request mutual authentication, servers send a CertificateRequest message to the client during the HTTPS handshake, specifying a criteria ...
Read more >Configuring Client Authentication Certificates in Web Browsers
Certificate -based client authentication is a great way for businesses to add an additional authentication factor for employees who are working ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I’ll add a couple comments about SSL debugging from my years of experience supporting TLS mutual auth:
Don’t use Java keystores, use PKCS12. Java keystores require everything be done just perfectly in exactly the right order…and even then they won’t work half the time.
Trust path problems can also be caused by missing intermediate certificates (e.g. you trust the root cert, but the server isn’t presenting the intermediate certs in the trust path). You might also need to include intermediates with your client certificate (this is much easier with PKCS12 vs a java keystore).
(client debugging only) If you’re really stumped you can set up an Apache server, enable certificate authentication, set the logLevel very high, then point your HTTP client at the server. Obviously the Apache server won’t serve up what your client expects, but it will still try to handshake with the server and you can get really good information out of the debug logs.
(shouldn’t happen with Karate since it doesn’t use the Windows certificate keystore but I’ll mention it anyway) 9 times out 10 on Windows, handshake failures are because you’re missing a certificate’s private key or don’t have permissions on it.
@jbadeau I will get rid of that fork–it worked but the current master upstream branch is far more polished. @ptrthomas has it taking a PKCS12 cert, which is easy enough to get from PEM using openssl (https://www.sslshopper.com/article-most-common-openssl-commands.html).
If you were interested in using the PEM code for something else, send email (email in my profile)–I think it’s a library I have somewhere.