-
Bug
-
Resolution: Done
-
Blocker
-
7.1.0.DR16
I create a bare remoting connector with a SSL context which should require mutual trust:
/subsystem=elytron/key-store=example-key-store:add(path=server.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=123456}, type=JKS)
/subsystem=elytron/key-managers=example-key-manager:add(key-store=example-key-store, algorithm=SunX509, credential-reference={clear-text=123456})
/subsystem=elytron/trust-managers=example-trust-manager:add(key-store=example-key-store, algorithm=SunX509)
/subsystem=elytron/server-ssl-context=example-ssl-context:add(trust-managers=example-trust-manager, key-managers=example-key-manager, need-client-auth=true, want-client-auth=true)
/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
/socket-binding-group=standard-sockets/socket-binding=remoting-ssl-sb:add(port=4448)
/subsystem=remoting/connector=remoting-ssl-connector:add(socket-binding=remoting-ssl-sb, sasl-authentication-factory=application-sasl-authentication, ssl-context=example-ssl-context)
However, the client is able to authenticate (just using SASL) even if it doesn't use any keystore, even though mutual trust should be established. When using a https-remoting connector secured the equivalent way, the client can't authenticate without a keystore.\
When sasl-authentication-factory is removed, no authentication will be done through SSL. SSL will only be used for encrypting the communication.
Bare remoting connector with SSL secured by picketbox works as expected as well (encryption and authentication), this looks Elytron-related.
