View Issue Details

IDProjectCategoryView StatusLast Update
0002861SymmetricDSNew Featurepublic2020-07-20 14:50
Reportermaiku Assigned Toelong  
Prioritynormal 
Status closedResolutionfixed 
Product Version3.8.6 
Target Version3.12.2Fixed in Version3.12.2 
Summary0002861: Client certificate authentication
DescriptionThe client certificate and private key reside in keystore, but are not presented when remote endpoint requests TLS client authentication (ie connecting through an haproxy reverse proxy).
Tagssecurity

Relationships

related to 0004474 closedelong Web server require or accept client ssl certificate authentication 

Activities

saleem

2016-11-01 08:33

reporter   ~0000897

We have a similar issue. Does SymmetricDS support using client certificates for authentication and authorisation?

saleem

2016-11-03 07:26

reporter  

symmetric-core-3.8.7.rar (973,203 bytes)

saleem

2016-11-03 07:26

reporter   ~0000899

Last edited: 2016-11-03 14:11

View 3 revisions

Client certificate authentication worked successfully after removing the modifications from the commit related to the following URL:

https://github.com/JumpMind/symmetric-ds/commit/830189c1bdf60804764651fbd2e1bd496d26228d

A statement was added to the abstract constructor of the class AbstractCommandLauncher in this commit. This statement initialises a default SSL factory for allowing self-signed certificates. The statement does not check if the property for self-signed certificates is enabled before initialising the default SSL factory. This is changing the default behavior of SSL. The added statement is the following:

TransportManagerFactory.initHttps("all", true);

I have tried creating a new 'symmetric-core' JAR file that disables the following statements in the TransportManagerFactory class:

if (allowSelfSignedCerts)
{
   HttpsURLConnection.setDefaultSSLSocketFactory(createSelfSignedSocketFactory());
}

The statements were disabled by using a conjunction with the value 'false' in the condition of the 'if' clause. Client certificate verification worked successfully after passing the following parameters for configuring SSL trust and key stores in the 'sym_service.conf':

-Djavax.net.ssl.trustStore=security/cacerts
-Djavax.net.ssl.trustStorePassword=XXXX
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=security/keystore
-Djavax.net.ssl.keyStorePassword=XXXX

I have uploaded a JAR file for the 'symmetric-core' archive with these modifications applied. This JAR file worked successfully for client certificate authentication using SymmetricDS version '3.8.7'. The file can be placed in the folder 'web\WEB-INF\lib' for testing.

maiku

2016-12-14 11:17

reporter   ~0000929

@saleem Wonder if you could provide a diff for your patch?

saleem

2016-12-16 07:32

reporter  

TransportManagerFactoryPatch.diff (107 bytes)   
81c81
<             if (allowSelfSignedCerts && false) {
---
>             if (allowSelfSignedCerts) {

saleem

2016-12-16 07:33

reporter   ~0000930

I have uploaded a patch file named 'TransportManagerFactoryPatch.diff'. This patch is based on the source code for version '3.8.7'.

chenson

2017-11-06 13:13

administrator   ~0001076

See 2886. Should be possible by tweaking system parameters.

Related Changesets

SymmetricDS: 3.12 e5dfe474

2020-07-13 15:52:09

admin

Details Diff
0002861: Client certificate authentication Affected Issues
0002861
mod - symmetric-core/src/main/java/org/jumpmind/symmetric/transport/TransportManagerFactory.java Diff File

Issue History

Date Modified Username Field Change
2016-10-14 08:28 maiku New Issue
2016-11-01 08:33 saleem Note Added: 0000897
2016-11-03 07:26 saleem File Added: symmetric-core-3.8.7.rar
2016-11-03 07:26 saleem Note Added: 0000899
2016-11-03 14:10 saleem Note Edited: 0000899 View Revisions
2016-11-03 14:11 saleem Note Edited: 0000899 View Revisions
2016-12-14 11:17 maiku Note Added: 0000929
2016-12-16 07:32 saleem File Added: TransportManagerFactoryPatch.diff
2016-12-16 07:33 saleem Note Added: 0000930
2017-03-22 18:51 chenson Assigned To => maxwellpettit
2017-03-22 18:51 chenson Status new => assigned
2017-10-27 15:24 elong Assigned To maxwellpettit => elong
2017-10-27 15:24 elong Target Version => 3.8.31
2017-11-06 13:13 chenson Fixed in Version => 3.9.0
2017-11-06 13:13 chenson Target Version 3.8.31 => 3.9.0
2017-11-06 13:13 chenson Note Added: 0001076
2017-12-12 17:35 mmichalek Target Version 3.9.0 => 3.9.1
2017-12-22 19:58 mmichalek Fixed in Version 3.9.0 => 3.9.1
2017-12-22 20:06 mmichalek Status assigned => closed
2017-12-22 20:09 mmichalek Resolution open => fixed
2017-12-22 20:51 mmichalek Status closed => assigned
2017-12-22 20:51 mmichalek Resolution fixed => open
2017-12-22 20:51 mmichalek Fixed in Version 3.9.1 =>
2017-12-22 20:51 mmichalek Target Version 3.9.1 => 3.9.2
2019-04-24 13:24 elong Tag Attached: security
2020-07-13 19:25 elong Relationship added related to 0004474
2020-07-13 19:25 elong Target Version 3.9.2 => 3.12.2
2020-07-13 19:53 elong Status assigned => resolved
2020-07-13 19:53 elong Resolution open => fixed
2020-07-13 19:53 elong Fixed in Version => 3.12.2
2020-07-13 20:00 admin Changeset attached => SymmetricDS 3.12 e5dfe474
2020-07-20 14:50 elong Status resolved => closed