Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Choose Certificate dialog

I use a similar setup and noticed that it is important that the keystore contains at least one certificate the user owns. Otherwise the Browser (firefox) never offers me the client-selection box.
The reason for this is that the server advertise a list of "certificate-names" he will accept, if none in the list matches any certificate on the client side the browser seems to decide that it can't fullfill the request.

Have you tried with needClientAuth = true?

Beside thsi it is very helpfull to enable ssl debug in the JVM to see what might goes wrong.

Am 23.03.2015 11:20, schrieb Espen Schulstad:
Hi, I have configured my app to be secured by x509 certificates, but can't get the "choose certificate prompt" to be shown in the browser. This works out of the box in tomcat.

In tomcat the configuration looks like this:

   <Connector port="8081" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
                 clientAuth="want" sslProtocol="TLS" 
                 keystorePass="password" />

When going on the port I am prompted with a ssl renegotiation (asking what certificate I want to use).

Configuring the same thing in jetty 

    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath">
            <Property name="jetty.keystore" default="keystore"/>
        <Set name="KeyStorePassword">
            <Property name="jetty.keystore.password" default="password"/>
      <Set name="NeedClientAuth">
          <Property name="jetty.ssl.needClientAuth" default="false"/>
      <Set name="WantClientAuth">
          <Property name="jetty.ssl.wantClientAuth" default="true"/>
        <Set name="EndpointIdentificationAlgorithm"/>

        <Set name="ExcludeCipherSuites">
            <Array type="String">

        <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
                <Ref refid="httpConfig"/>
            <Call name="addCustomizer">
                    <New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>

Gives me 403..

Please help me, Obi-wan-Kenobi, or else I'll have to use the tomcat solution.

Regards, Espen
_______________________________________________ jetty-users mailing list jetty-users@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top