0
votes

I have a situation and not sure if it has possible solution.

I have a Java Server with SSL Socket and certificates "A" & "B". I also have 2 types of clients - one with certificate "A" and another with certificate "B". However only one certificate is loaded on a server side and therefore either clients with cert. "A" can connect or only clients with cert. "B" can connect.

Is it possible to modify Java Server such that up on a connection from any client, it will determine which certificate is used ( A vs. B ) and use appropriate cert?

P.S: Please pardon my security ignorance.

Thank you.

1
Are you talking about the Sun/Oracle Glassfish Java server?fvu
It is a java application with SSL socket - acting as a server.MeIr
Why would your clients have certificates A and B too? Are you trying to use client-certificate authentication?Bruno
I didn't express myself correctly. I have clients, some of them have cert A while others have cert B.MeIr
Why would they either "have" cert A or B? What do you mean by a client having a cert? Do you mean that some clients are configured to trust cert A and other cert B, where both cert A and B are on the server (and only the server has their private keys of course), or are you talking of other certificates used to authenticate the clients?Bruno

1 Answers

1
votes

Being able to use two server certificates on the same IP address and port is possible via the Server Name Indication (SNI) extension, which must be supported by the client and the server.

Java supports this on the client side since Java 7.

Unfortunately, this is not supported on the server side yet. This is planned for Java 8.

Meanwhile, if you do need SNI support on your server, you may be able to use another server to handle the SSL/TLS connection and forward the plain text connection to your application. Typically, this can be done with Apache Httpd (with a reverse proxy) for HTTP(S).

Alternatively, it looks like the HTTPS-SNI-Proxy project may be more flexible for other protocols (despite having HTTPS in its name). I haven't tried it, but according to its README, it looks for the SNI extension in the initial Client Hello and then forwards the entire SSL/TLS connection (without deciphering it) to another server, depending on what is configured. In your example, you would have to set up two SSLServerSockets on distinct ports (not the one you really want to listen to) and forward connections from this tool to either port depending on what the client requests with its SNI extension.