OpenSslSession: Add support to defensively check for peer certs #14641
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation ---------- In a use-case where an application wants to check if a peer certificate has been provided without throwing an exception if none are found (as is currently the behavior when calling SSLSession#getPeerCertificates) there is currently no API available to do that. The use-case which prompted this addition is to defensively check if a mTLS connection has been established with access to the SSLSession. Modifications ------------- This changeset introduces a new API to the OpenSslSession which allows to check if peer certs are available (hasPeerCertificates) and returns true if this is the case. Result ------ It is now possible to check if mTLS is enabled (through checking if peer certs are presented) without throwing an exception if not.
idelpivnitskiy
approved these changes
Jan 7, 2025
chrisvest
reviewed
Jan 7, 2025
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
Outdated
Show resolved
Hide resolved
chrisvest
approved these changes
Jan 8, 2025
|
@daschl I am not against this change but I wonder how this will be useful for anyone except for netty itself ? The |
|
@daschl @chrisvest @idelpivnitskiy PTAL again... |
daschl
commented
Jan 10, 2025
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
Outdated
Show resolved
Hide resolved
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
Outdated
Show resolved
Hide resolved
daschl
commented
Jan 10, 2025
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
Outdated
Show resolved
Hide resolved
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
Outdated
Show resolved
Hide resolved
chrisvest
approved these changes
Jan 10, 2025
normanmaurer
added a commit
that referenced
this pull request
Jan 13, 2025
Motivation ---------- In a use-case where an application wants to check if a peer certificate has been provided without throwing an exception if none are found (as is currently the behavior when calling SSLSession#getPeerCertificates) there is currently no API available to do that. The use-case which prompted this addition is to defensively check if a mTLS connection has been established with access to the SSLSession. Modifications ------------- This changeset introduces a new API to the OpenSslSession which allows to check if peer certs are available (hasPeerCertificates) and returns true if this is the case. Result ------ It is now possible to check if mTLS is enabled (through checking if peer certs are presented) without throwing an exception if not. --------- Co-authored-by: Norman Maurer <[email protected]>
normanmaurer
added a commit
that referenced
this pull request
Jan 13, 2025
…) (#14653) Motivation ---------- In a use-case where an application wants to check if a peer certificate has been provided without throwing an exception if none are found (as is currently the behavior when calling SSLSession#getPeerCertificates) there is currently no API available to do that. The use-case which prompted this addition is to defensively check if a mTLS connection has been established with access to the SSLSession. Modifications ------------- This changeset introduces a new API to the OpenSslSession which allows to check if peer certs are available (hasPeerCertificates) and returns true if this is the case. Result ------ It is now possible to check if mTLS is enabled (through checking if peer certs are presented) without throwing an exception if not. Co-authored-by: Michael Nitschinger <[email protected]>
normanmaurer
added a commit
that referenced
this pull request
Jan 13, 2025
…) (#14653) Motivation ---------- In a use-case where an application wants to check if a peer certificate has been provided without throwing an exception if none are found (as is currently the behavior when calling SSLSession#getPeerCertificates) there is currently no API available to do that. The use-case which prompted this addition is to defensively check if a mTLS connection has been established with access to the SSLSession. Modifications ------------- This changeset introduces a new API to the OpenSslSession which allows to check if peer certs are available (hasPeerCertificates) and returns true if this is the case. Result ------ It is now possible to check if mTLS is enabled (through checking if peer certs are presented) without throwing an exception if not. Co-authored-by: Michael Nitschinger <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
In a use-case where an application wants to check if a peer certificate has been provided without throwing an exception if none are found (as is currently the behavior when calling SSLSession#getPeerCertificates) there is currently no API available to do that.
The use-case which prompted this addition is to defensively check if a mTLS connection has been established with access to the SSLSession.
Modifications
This changeset introduces a new API to the OpenSslSession which allows to check if peer certs are available (hasPeerCertificates) and returns true if this is the case.
Result
It is now possible to check if mTLS is enabled (through checking if peer certs are presented) without throwing an exception if not.