Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Mutual authentication

See original GitHub issue

What kind of issue is this?

Question. This issue tracker is not the place for questions. If you want to ask how to do something, or to understand why something isn’t working the way you expect it to, use Stack Overflow. https://stackoverflow.com/questions/tagged/okhttp
Bug report. If you’ve found a bug, spend the time to write a failing test. Bugs with tests get fixed. Here’s an example: https://gist.github.com/swankjesse/981fcae102f513eb13ed
Feature Request. Start by telling us what problem you’re trying to solve. Often a solution already exists! Don’t send pull requests to implement new features without first getting our support. Sometimes we leave features out on purpose to keep the project small.

OkHttp supports the server authentication by setting a X509TrustManager object using the sslSocketFactory method of the OkHttpClient.Builder object.
What can I do if the server requires client authentication, too?

You can get a simple server the requires mutual authentication (both client and server) from the tutorial at http://www.baeldung.com/x-509-authentication-in-spring-security (the corresponding code is at http://github.com/eugenp/tutorials/blob/master/spring-security-x509).
Then you can use a variant of your recipe at http://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java to make a request for a such sever, and you will get the following exception:

javax.net.ssl.SSLHandshakeException: Handshake failed
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at it.scoppelletti.spaceship.http.ClientInterceptor.intercept(ClientInterceptor.java:71)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
    at okhttp3.RealCall.execute(RealCall.java:69)
    at retrofit2.OkHttpCall.execute(OkHttpCall.java:180)
    at retrofit2.ExecutorCallAdapterFactory$ExecutorCallbackCall.execute(ExecutorCallAdapterFactory.java:91)

This is because you can set a X509TrustManager object but you cannot set a X509KeyManager object from which the client could present its own certificate to the server in order to be authenticated.

Issue Analytics

State:
Created 6 years ago
Comments:11

Top GitHub Comments

1reaction

dscoppelletticommented, Aug 14, 2017

Thanks, it works!
Maybe someone would appreciate a recipe like http://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java.
Something like that can be found at http://github.com/dscoppelletti/spaceship-http/blob/master/app/src/main/java/it/scoppelletti/spaceship/http/sample/GreetingCallable.java.

1reaction

yschimkecommented, Aug 11, 2017

This is already supported. This unit test shows an example way to configure it

https://github.com/square/okhttp/blob/cd872fd83824512c128dcd80c04d445c8a2fc8eb/okhttp-tests/src/test/java/okhttp3/internal/tls/ClientAuthTest.java

I’ve personally used this with Estonian smart cards, so I can confirm that the feature works.

Top Results From Across the Web

Mutual authentication - Wikipedia

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol.

What is mutual authentication? | Two-way ... - Cloudflare

Mutual authentication is when two sides of a communications channel verify each other's identity, instead of only one side verifying the other.

What is Mutual Authentication? - Visa Developer Community

Mutual Authentication, also commonly referred to as Two-Way Authentication or Two-Way SSL, refers to the combination of both Server and ...

Mutual Authentication - Akamai TechDocs

Mutual authentication, also known as two-way authentication, is a security process in which entities authenticate each other before actual communication ...

How does SSL mutual authentication work?

However, customers can also use Mutual Authentication to have both the client and server use signed certificates to authenticate each other.