1

I'm trying to make a ssl webserver with jetty, but I do not want to provide the server certificate if any client tries to connect. On normal cases anybody can download the server certificate, trust and connect to the server. But I would like to install the server certificate manuelly on my client to be sure, that only my client has that cert and can connect to my server.

Is that possible? I didn't find anything around the web related to Jetty.

I'm playing with some example code and my truststore. Nothing special.

        final Server server = new Server();
        server.setHandler(new HelloWorld());

        final HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.setSecureScheme("https");
        httpConfiguration.setSecurePort(8085);

        final ServerConnector http = new ServerConnector(server,
                new HttpConnectionFactory(httpConfiguration));
        http.setPort(8081);
        server.addConnector(http);

        final SslContextFactory sslContextFactory = new SslContextFactory("mykey.jks");
        sslContextFactory.setKeyStorePassword("tester");
        sslContextFactory.setNeedClientAuth(true);

        final HttpConfiguration httpsConfiguration = new HttpConfiguration(httpConfiguration);
        httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
        final ServerConnector httpsConnector = new ServerConnector(server,
                new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
                new HttpConnectionFactory(httpsConfiguration));
        httpsConnector.setPort(8085);
        server.addConnector(httpsConnector);

        server.start();
        server.join();

I know, that's a special usecase. If there is a better solution, let me know (and no, login session is no option for me). It has to be as simple as it is possible.

user2877016
  • 37
  • 6
  • It sounds mutual auth SSL is a better way to go for you; create a keypair for the server _and_ a keypair for the client. https://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication – dtanabe Jan 11 '19 at 22:37
  • Typically in HTTPS world it is not the certificate just by itself that matters but if it is signed by a specific (or any) CA that the receiver of the certificate trusts. " only my client has that cert and can connect to my server." if you want to authenticate your clients it is not the fact that they have the server certificate locally or not that should matter. Instead you authenticate them through a client certificate they will have that the server will validate (either just by itself or again because it is signed by a trusted CA or your own) or you authenticate them later, in HTTP or in app – Patrick Mevzek Jan 11 '19 at 22:45

1 Answers1

0

Instead of attempting security though obscurity you should implement Two Way SSL. You can take a look at 2-Way SSL with Java: The Keystore Strikes Back article.

The client can always blindly trust or ignore any certificate presented by the server. As long as someone knows the server address they will be able to make a request.

Karol Dowbecki
  • 43,645
  • 9
  • 78
  • 111