I am implementing mTLS from a client perspective.
Properties confiig
server.port=8090
server.ssl.enable=true
#server.ssl.key-store=C:\\cert\\keystore.jks
server.ssl.key-store-password=changeit
server.ssl.key-store-type=JKS
server.ssl.key-alias=fnbuh81zjl3.fnb.co.za
server.ssl.trust-store=C:\\cert\\truststore.jks
server.ssl.trust-store-password=changeit
server.ssl.trust-store-type=JKS
When the application starts up it finds the trust and key store as the start up is successful.
When making the mTLS call to the server the client certificate is not send in the handshake. After adding the keystore and keystore password as java command line arguments (-Djavax.net.ssl.keyStore....) it sends the client certificate but fails to identify the certificate path.
After passing both the keystore and truststore as java command line arguments the SSL handshake is successful.
There seems to be a bugg during mTLS negotiation on the client side when keyStore and TrustStore is only passed as application properties
.
Comment From: wilkinsona
The server.ssl.* properties only affect the web server's SSL configuration. They are server-side only and have no affect on how a client behaves when making requests to the server.
When making the mTLS call to the server the client certificate is not send in the handshake.
This is a client-side problem and is out of Spring Boot's control. Whatever client you are using needs to be configured to send a certificate that the server trusts.
If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
Comment From: AASGoliath
Good day Andy,
Thank you for the response.
I understand your standpoint.
Please consider:
We are using a SpringBoot application as a client application to negotiate mTLS. It would be great if we could have client.ssl.* properties that can aid the client to do proper ssl handshake negotiations.
Kind regards.
André
From: Andy Wilkinson @.> Sent: Thursday, November 23, 2023 12:18 PM To: spring-projects/spring-boot @.> Cc: Goliath, Andre @.>; Author @.> Subject: Re: [spring-projects/spring-boot] There seems to be a bugg during mTLS negotiation on the client side when keyStore and TrustStore is only passed as application properties (Issue #38511) - [External Email]
CAUTION - EXTERNAL SENDER - Please be careful when opening links and attachments! FNB Cyber Security Office.
The server.ssl.* properties only affect the web server's SSL configuration. They are server-side only and have no affect on how a client behaves when making requests to the server.
When making the mTLS call to the server the client certificate is not send in the handshake.
This is a client-side problem and is out of Spring Boot's control. Whatever client you are using needs to be configured to send a certificate that the server trusts.
If you have any further questions, please follow up on Stack Overflow or Gitterhttps://secure-web.cisco.com/1QIxcnkTaK8znEMeEZIMxfjEsIuhFEDzg-xmoiFTLl9bQcyIvvP0hUBWpS4spBmX371WO-lb7KcHO4NDS8st0lsbp7IPM8uDy09i6vMLZE7_N65uS0szxx0KDvotBvHOqtwtc8hiNsaQrg8pj7tNgY4O4WsNELFabcQOByxwFBRE-T7DS_TpEnTan5yJwTIIODzF27JCENaVWnPx0SIbmfVX7kB0T-0ny8Ci6vCB8YDNtWAoZvQmbwd25kX9wXvfU8V4xyzem9vjcOMGH3zhWduT3K2KSVbkkCM2s52ygI29TSvHgWwm6SEmX16w9bqXg/https%3A%2F%2Fgitter.im%2Fspring-projects%2Fspring-boot. As mentioned in the guidelines for contributinghttps://secure-web.cisco.com/11YIOi3iXQAxFV2n8KAVp0Dhut9nAqF2U3ONoR0V82SE71RHUk-zZMOXQwgexMisTJRT2jYcG79SOKgIPNGqMY7LnTsjENZWVewLRXCMrMPMpJH8zv2Bjxh44kdq72yeGYxeA8xMfhZeJgcOrn0uM0ec86mHhc02BQhN5Yqjqyfo_wNc-8H7wqtOMNBIlvWDR8JvgAJKwDbeIf16BZcHKSvT2-LIAxK00_YB3uwJfMo9EoF1i0-WxiiEzojmvWLMJ_5vsEtzS1IOlhjzf9rSqVuPRRtAAKb13GPK59cS-MJVlw9O0s6gbmInwj56C-vhh/https%3A%2F%2Fgithub.com%2Fspring-projects%2Fspring-boot%2Fblob%2Fmain%2FCONTRIBUTING.adoc%23using-github-issues, we prefer to use GitHub issues only for bugs and enhancements.
— Reply to this email directly, view it on GitHubhttps://secure-web.cisco.com/1HfrcI1JmK4N9oVFquItoZMaeAYoOdwPIwQ6OJogxAAlBxI9M9YDT7ZkhYKBbFGHCDywn32Z7E7n_1o4cA7AoawKTsxcmP1MIQMAb_WjgjqSCqJdxDUyBNuKvEFUz0fczl5h8pAnK0KnYQwx7cu6AdCD_xlIRL4RrBF4RqLgipXnPphdtz676q0z4V1-9GPLUh3L_R6x3b_3vZAP-QBgtESvXLrgV5SYAaziy82GNUedeXAlk6wXdwUaj1jj3i34YPuwxyW0v2q5FzFvKmbaG_KzPbpRSlDkGOxJct2pHCJyj1uxduLtsK9mAz6txixv6/https%3A%2F%2Fgithub.com%2Fspring-projects%2Fspring-boot%2Fissues%2F38511%23issuecomment-1824127800, or unsubscribehttps://secure-web.cisco.com/1IE71pt8uWDe0aQ0FhIJiu-gCeEFmr10oIqQpqueOzNS0UQo_YCGs8KuRm9yg7PSpvPEA2QJni3LtMvwwqE0a16TNNmVT-CS7q12S_hpTd0oIMu8m1L68kOr9nRwfABKF4OLhcfo1LHrAxK77pqGx2kG-a5MBKpiuU67wBPLD7x5KnYsYGbBP4WmyeTQtnFiDjT1d9-m5ni_UQPMGX5ODgcPcnb68kKgx9DOtysF0KmGEDq5h_PAJrqbo18CJUDxbP7GVoVZ25-V-53xXznrS9JYjr_ZdaB4J0XJ-1x7MnV4PXC_CfH-N5ug--fbxRSc9/https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJGPZY723QW5HNENU7BRRQTYF4PEFAVCNFSM6AAAAAA7XP7JX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRUGEZDOOBQGA. You are receiving this because you authored the thread.Message ID: @.***>
This email is subject to a disclaimer.
Visit the FNB website and view the email disclaimer and privacy notice by clicking the "About FNB + Legal" and "Legal Matters" links. If you are unable to access our website, please contact us to send you a copy of the email disclaimer or privacy notice.
Comment From: wilkinsona
Please take a look at the new SSL configuration support that was added in Spring Boot 3.1.
Comment From: AASGoliath
Thank you
From: Andy Wilkinson @.> Sent: Thursday, November 23, 2023 1:07 PM To: spring-projects/spring-boot @.> Cc: Goliath, Andre @.>; Author @.> Subject: Re: [spring-projects/spring-boot] There seems to be a bugg during mTLS negotiation on the client side when keyStore and TrustStore is only passed as application properties (Issue #38511) - [External Email]
CAUTION - EXTERNAL SENDER - Please be careful when opening links and attachments! FNB Cyber Security Office.
Please take a look at the new SSL configuration supporthttps://secure-web.cisco.com/1WuqZsxGjqcCxogW550dx1lRElr-0VqXty-ye1mNzSjcDTS3upiRQEymUjTAjLn2kHBGDJs75H3b-tokLiDMU3wDM7hhvefWyeJ5YzXUJV9B6W98HeDBOMFF7LWdsWM9WH3TiXFyQlhILZeUCjSoPjLvz6FkGq6Hf83GmoHWKYPH_PiYqXddPYK9mPbyBqg5Zy6tm2QmIV9fTustde1UZ1YiS-_LGIDOJemP6XD67ffbrVHcoqDZMqTQUr-pYDveZzH8-8ob-qRsn3Xail-dF9wKug7gF-FK_i5aguzsLZP9eGO4NetN4pI3YiBFp_rpZ/https%3A%2F%2Fgithub.com%2Fspring-projects%2Fspring-boot%2Fwiki%2FSpring-Boot-3.1-Release-Notes%23ssl-configuration that was added in Spring Boot 3.1.
— Reply to this email directly, view it on GitHubhttps://secure-web.cisco.com/1PlfdrssRF7u9KGQfHcHk6XdC8kQknxhwRVpT5pii6901vpPJkY_eoDXt2OMFJ2u0JWJRCoGZVt9l4quykuFYbjSUNO8FWup0YNmx0idEBB4eToStpl1o1IBN5637s6CKnlCYx5qpd7BY9DN3Nfpxfn_rl1Ffjz1RHlrk7ZKOF_v_R3_rvXJ9rL9rCLUYnWYbCOr0zi4EtAB2lNLInKEeMWJ7iQu9W6Fcwtr9_S9SvA57TVA-nyPfY8ettenNb2IlxtAM7GlAtjzhWKAwoSU87HnnjoMOL5DRwhV3NyjODlX1SjmDw1btJ6tSzQHGPqau/https%3A%2F%2Fgithub.com%2Fspring-projects%2Fspring-boot%2Fissues%2F38511%23issuecomment-1824234550, or unsubscribehttps://secure-web.cisco.com/1BKa5xrZjwG05sg0xqvcx8x7I1vdB-ODVfV3FK0UKezcKh8YQDavcbJrhpYkk6DqJ6KVR_t1vpeHBtSS-Fmw_GV1CwO5vm0X5xYcODizoAqwvziU-xmMqy_AK1rLxgDDNjR2cZaETw2KXfUIX2BDq2P3d_GXuT4JusTnOQ_eSTYRME5kVAWXtdItZ2eCWjaBOb9bLAnEFabQlsmA-rJkIXryvyzyIzbWa2OSbWyBuFw-NCjnHEi1vMfjmXaw1eSQbO6xYZ8AAGWtqdI57p9BZgcbJDpG6fPQcsIFwVZfCz7pvcL5EVqhzUhi15Ss2Vzxi/https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJGPZY22KLEOSQNSQADZ7MLYF4U33AVCNFSM6AAAAAA7XP7JX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRUGIZTINJVGA. You are receiving this because you authored the thread.Message ID: @.***>
This email is subject to a disclaimer.
Visit the FNB website and view the email disclaimer and privacy notice by clicking the "About FNB + Legal" and "Legal Matters" links. If you are unable to access our website, please contact us to send you a copy of the email disclaimer or privacy notice.