0

My question is somewhat related to this question on Stackoverflow. However, my server will be listening on a single port. The server will trust the client only of it finds the clients public key certificate with itself. I want the client to send the name if its public key certificate (on a normal, insecure connection) which the server will lookup into its own filesystem. If the server finds the certificate then it converts to the old, insecure client connection to a SSL connection. Is this even possible? If so, how?

Community
  • 1
  • 1
TheRookierLearner
  • 3,643
  • 8
  • 35
  • 53

2 Answers2

2

You don't seem to understand how SSL actually works. If you set it up so that client authentication is required, the client will send its certificate during the handshake, and the server can get it and verify it any way it likes. In Java this means installing a HandshakeCompletedListener in the server or using SSLSocket.getSession.getPeerCertificate().

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Ya, I must admit that I don't quite understand it. However, would it be wrong if I tell that the server needs to contact the CA to verify the client's identity (or in other words, the server must have access to the public key's maintained by CA)? – TheRookierLearner Apr 26 '13 at 11:19
  • Also, it would be really very helpful if you point some resources for understanding the theory behind this and also some programming resources. – TheRookierLearner Apr 26 '13 at 11:20
  • I suggested one in your [other thread](http://stackoverflow.com/a/16225948/207421). – user207421 Apr 26 '13 at 12:48
  • Ya, the JSSE Reference Guide and the IBM link. There aren't any books for these I guess. – TheRookierLearner Apr 26 '13 at 18:01
  • The server doesn't need to contact the CA. The server already has the client certificate chain and as long as its truststore trusts one of the signers in the chain, identity is established. You also need to read up X.509 certificate PKI. – user207421 Apr 26 '13 at 23:24
1

You can do this by issuing a POST request over plain HTTP sending to the server the name of the client's certificate.
In the response there could be a result instructing the client to reconnect to the server over SSL via a different port.
Using a single port for both HTTP and HTTPS as you seem to expect is impossible and does not make sense.
Your requirement in general does not make sense IMHO.

Cratylus
  • 52,998
  • 69
  • 209
  • 339