Getting client ip when doing ocsp in Netty

Question

I'm making a secure tls connection with Netty. I use mutual authentication on my connection. The certificate from the client is validated with ocsp.

Validation procedures with Ocsp are done in the same way that I define netty as truststore.

Disconnecting from tcp if client's certificate is revoked or unkown. So far, so good.

I want to print the client's ip to the logs when the certificate is revoked or unkown. I tried a lot of things, but I couldn't.

Can you help me ?

The builder is build in the following way. My ocsp codes are in the WebSocketTrustManagerFactory class:

builder = SslContextBuilder
         .forServer(kmf)
         .clientAuth(ClientAuth.REQUIRE)
         .trustManager(new WebSocketTrustManagerFactory(finalTm));

score 0 · Answer 1 · answered Nov 05 '18 at 19:00

I guess you could check for the SslHandshakeCompletionEvent and if its a failure log it.

Somehting like:

public void class MyHandler extends ChannelInboundHandlerAdapter {

    @Override
    public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
        if (evt instance of SslHandshakeCompletionEvent) {
            SslHandshakeCompletionEvent sslEvent = (SslHandshakeCompletionEvent) evt;
            if (!sslEvent.isSuccessful()) {
                Throwable cause = sslEvent.cause();
                logger.debug("Handshake failed for {}", ctx.channel().remoteAddress(), cause);
            }
        }
        ctx.fireUserEvent(evt);
    }
}

I think "ctx.channel().remoteAddress()" will give me the load balancer ip. I guess I need to get x-forwarded-for from the http package. Do you have any idea about this? — Rahmican, Nov 05 '18 at 20:26
if the handshake fails then there will be no http header yet. — Norman Maurer, Nov 06 '18 at 06:46

Getting client ip when doing ocsp in Netty

1 Answers1