View Issue Details

IDProjectCategoryView StatusLast Update
0002861SymmetricDSNew Featurepublic2017-12-12 12:35
ReportermaikuAssigned Toelong 
PrioritynormalSeverityminorReproducibilityN/A
Status assignedResolutionopen 
Product Version3.8.6 
Target Version3.9.1Fixed in Version3.9.0 
Summary0002861: Client certificate authentication
DescriptionThe client certificate and private key reside in keystore, but are not presented when remote endpoint requests TLS client authentication (ie connecting through an haproxy reverse proxy).
TagsNo tags attached.

Activities

saleem

2016-11-01 04:33

reporter   ~0000897

We have a similar issue. Does SymmetricDS support using client certificates for authentication and authorisation?

saleem

2016-11-03 03:26

reporter  

symmetric-core-3.8.7.rar (973,203 bytes)

saleem

2016-11-03 03:26

reporter   ~0000899

Last edited: 2016-11-03 10:11

View 3 revisions

Client certificate authentication worked successfully after removing the modifications from the commit related to the following URL:

https://github.com/JumpMind/symmetric-ds/commit/830189c1bdf60804764651fbd2e1bd496d26228d

A statement was added to the abstract constructor of the class AbstractCommandLauncher in this commit. This statement initialises a default SSL factory for allowing self-signed certificates. The statement does not check if the property for self-signed certificates is enabled before initialising the default SSL factory. This is changing the default behavior of SSL. The added statement is the following:

TransportManagerFactory.initHttps("all", true);

I have tried creating a new 'symmetric-core' JAR file that disables the following statements in the TransportManagerFactory class:

if (allowSelfSignedCerts)
{
   HttpsURLConnection.setDefaultSSLSocketFactory(createSelfSignedSocketFactory());
}

The statements were disabled by using a conjunction with the value 'false' in the condition of the 'if' clause. Client certificate verification worked successfully after passing the following parameters for configuring SSL trust and key stores in the 'sym_service.conf':

-Djavax.net.ssl.trustStore=security/cacerts
-Djavax.net.ssl.trustStorePassword=XXXX
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=security/keystore
-Djavax.net.ssl.keyStorePassword=XXXX

I have uploaded a JAR file for the 'symmetric-core' archive with these modifications applied. This JAR file worked successfully for client certificate authentication using SymmetricDS version '3.8.7'. The file can be placed in the folder 'web\WEB-INF\lib' for testing.

maiku

2016-12-14 06:17

reporter   ~0000929

@saleem Wonder if you could provide a diff for your patch?

saleem

2016-12-16 02:32

reporter  

TransportManagerFactoryPatch.diff (107 bytes)
81c81
<             if (allowSelfSignedCerts && false) {
---
>             if (allowSelfSignedCerts) {

saleem

2016-12-16 02:33

reporter   ~0000930

I have uploaded a patch file named 'TransportManagerFactoryPatch.diff'. This patch is based on the source code for version '3.8.7'.

chenson

2017-11-06 08:13

administrator   ~0001076

See 2886. Should be possible by tweaking system parameters.

Issue History

Date Modified Username Field Change
2016-10-14 04:28 maiku New Issue
2016-11-01 04:33 saleem Note Added: 0000897
2016-11-03 03:26 saleem File Added: symmetric-core-3.8.7.rar
2016-11-03 03:26 saleem Note Added: 0000899
2016-11-03 10:10 saleem Note Edited: 0000899 View Revisions
2016-11-03 10:11 saleem Note Edited: 0000899 View Revisions
2016-12-14 06:17 maiku Note Added: 0000929
2016-12-16 02:32 saleem File Added: TransportManagerFactoryPatch.diff
2016-12-16 02:33 saleem Note Added: 0000930
2017-03-22 14:51 chenson Assigned To => maxwellpettit
2017-03-22 14:51 chenson Status new => assigned
2017-10-27 11:24 elong Assigned To maxwellpettit => elong
2017-10-27 11:24 elong Target Version => 3.8.31
2017-11-06 08:13 chenson Fixed in Version => 3.9.0
2017-11-06 08:13 chenson Target Version 3.8.31 => 3.9.0
2017-11-06 08:13 chenson Note Added: 0001076
2017-12-12 12:35 mmichalek Target Version 3.9.0 => 3.9.1