Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-4316

The client is tried for "SSL Peer Authentication" even though encryption's require-ssl-client-auth is set to false

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.0.0.Alpha5
    • 7.0.0.Alpha4
    • Security, Server
    • None

    Description

      Consider the scenario:

      • The client enables the authentication thru ConfigurationBuilder (i.e cb.security().authentication())
      • The Server's SSL configuration doesn't require client authentication (i.e require-ssl-client-auth="false") and in addition the security-realm's <authentication .../> doesn't include a <truststore .../>

      In such a scenario the client is unable to authenticate as the following exception is thrown in the server side logs:

      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

      One sided communication encryption (with client storing server's certificate in its trust store) should be supported particularly when the client wants to authenticate via credentials

      Attachments

        Activity

          People

            ttarrant@redhat.com Tristan Tarrant
            vchintal@redhat.com Vijay Chintalapati (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: