This Banner is For Sale !!
Get your ad here for a week in 20$ only and get upto 15k traffic Daily!!!

Quarkus Mutual TLS demo – DEV Community


Image description

Project quarkus-mutual-tls-demo available on GitHub

Demonstration mission that reveals tips on how to configure Transport Layer Safety (TLS) on Quarkus server and Quarkus shopper functions.

There are two functions to this demo: server and shopper.

First, I clarify the ideas of https, tls and mutual tls.

Then, I execute a couple of assessments displaying step-by-step how we configure and what are the issues that happen once we do not configure the functions correctly.



Index



Ideas



HTTPS

HTTPS stands for Hypertext Switch Protocol Safe, which is a protocol used to determine a safe and encrypted connection between an internet browser (or different shopper) and an internet server.
While you hook up with a web site utilizing HTTPS, your browser and the server trade cryptographic keys to determine a safe connection. This ensures that any knowledge transmitted between the shopper and server is encrypted and protected against interception or tampering.1

To estabilish a https connection, the server should have a server certificates. When the shopper entry the server, it receives the server certificates and examine if this certificates is legitimate and issued by a trusted Certificates Authority (CA).



TLS

Transport Layer Safety (TLS) is a cryptographic protocol designed to supply communications safety over a pc community. The protocol is broadly utilized in functions comparable to e mail, instantaneous messaging, and voice over IP, however its use in securing HTTPS stays probably the most publicly seen.2

Transport Layer Safety (TLS) certificates—mostly often known as SSL, or digital certificates—are the inspiration of a protected and safe web. TLS/SSL certificates safe web connections by encrypting knowledge despatched between your browser, the web site you’re visiting, and the web site server. They be sure that knowledge is transmitted privately and with out modifications, loss or theft.3

Mutual TLS happens when the shopper requires identification from the server and the server requires identification from the shopper as effectively.



Certificates era

Let’s generate the server and shoppers certificates.

Then we’ll create a single keystore containing all shopper certificates.

The information are already on the mission, in case you wan’t to execute the keytool instructions, first delete the information.

Execute the next instructions on the basis folder of the mission.



Server Certificates

$ keytool -genkeypair -storepass server-password -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 365000 -keystore server/server-keystore.jks
Enter fullscreen mode

Exit fullscreen mode



Shopper “A” Certificates

$ keytool -genkeypair -storepass client-a-password -keyalg RSA -keysize 2048 -dname "CN=shopper" -alias shopper -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 365000 -keystore shopper/client-a-keystore.jks
Enter fullscreen mode

Exit fullscreen mode



Shopper “B” Certificates

$ keytool -genkeypair -storepass client-b-password -keyalg RSA -keysize 2048 -dname "CN=shopper" -alias client-b -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 365000 -keystore shopper/client-b-keystore.jks
Enter fullscreen mode

Exit fullscreen mode



Create the server truststore

Create the server truststore file containing all of the shopper keystores.

Producing a server truststore file:

$ keytool -genkeypair -storepass authorized-clients-password -keyalg RSA -keysize 2048 -dname "CN=shopper" -alias authorized-clients -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 365000 -keystore server/server-truststore-clients.jks
Enter fullscreen mode

Exit fullscreen mode

Including keystore from shopper “A” to server truststore:

$ keytool -importkeystore -srckeystore shopper/client-a-keystore.jks -srcstorepass client-a-password -destkeystore server/server-truststore-clients.jks -deststorepass authorized-clients-password
Enter fullscreen mode

Exit fullscreen mode

Including keystore from shopper “B” to server truststore:

$ keytool -importkeystore -srckeystore shopper/client-b-keystore.jks -srcstorepass client-b-password -destkeystore server/server-truststore-clients.jks -deststorepass authorized-clients-password
Enter fullscreen mode

Exit fullscreen mode



Create the shopper truststore

$ cp server/server-keystore.jks shopper/client-truststore.jks
Enter fullscreen mode

Exit fullscreen mode



Check – Server with certificates and shopper with out truststore configured

On this cenario, the server solely accepts https connections, however the server certificates is not current within the shopper trustore Certificates Authorite management.

Enabling TLS on the server aspect:

# Disallowing http entry
quarkus.http.insecure-requests=disabled

# Configure https port
quarkus.http.ssl-port=8445

# Server Certificates
quarkus.http.ssl.certificates.key-store-file=./server-keystore.jks
quarkus.http.ssl.certificates.key-store-password=server-password
Enter fullscreen mode

Exit fullscreen mode

Begin server:



Check from Quarkus Shopper

Begin shopper:

Execute shopper endpoint that consumes server endpoint:

$ curl localhost:8080/hiya
Enter fullscreen mode

Exit fullscreen mode

Attempt to entry this endpoint from the shopper with out the Belief Retailer configuration, we obtain this error:

jakarta.ws.rs.ProcessingException: javax.internet.ssl.SSLHandshakeException: Did not create SSL connection
...
Brought on by: javax.internet.ssl.SSLHandshakeException: Did not create SSL connection
        at io.vertx.core.internet.impl.ChannelProvider$1.userEventTriggered(ChannelProvider.java:127)
        ... 25 extra
Brought on by: javax.internet.ssl.SSLHandshakeException: PKIX path constructing failed: solar.safety.supplier.certpath.SunCertPathBuilderException: unable to seek out legitimate certification path to requested goal
...
Brought on by: solar.safety.validator.ValidatorException: PKIX path constructing failed: solar.safety.supplier.certpath.SunCertPathBuilderException: unable to seek out legitimate certification path to requested goal
...
Brought on by: solar.safety.supplier.certpath.SunCertPathBuilderException: unable to seek out legitimate certification path to requested goal
Enter fullscreen mode

Exit fullscreen mode



Check from curl

$ curl https://localhost:8445
curl: (60) SSL certificates drawback: self-signed certificates
Extra particulars right here: https://curl.se/docs/sslcerts.html

curl did not confirm the legitimacy of the server and due to this fact couldn't
set up a safe connection to it. To be taught extra about this case and
tips on how to repair it, please go to the online web page talked about above.
Enter fullscreen mode

Exit fullscreen mode



Check from curl permitting insecure server connections

$ curl -k https://localhost:8445/hiya

Howdy from server
Enter fullscreen mode

Exit fullscreen mode



Check – Server with certificates and shopper with truststore configured

Configure shopper truststore:

# Relaxation shopper particular Belief Retailer
quarkus.rest-client.server-api.trust-store=./client-truststore.jks
quarkus.rest-client.server-api.trust-store-password=server-password
Enter fullscreen mode

Exit fullscreen mode



Check from Quarkus Shopper

Begin shopper:

Execute shopper endpoint that consumes server endpoint:

$ curl localhost:8080/hiya

Howdy from server
Enter fullscreen mode

Exit fullscreen mode



Check – Server with mutual TLS and shopper do not inform identification

Embrace requiring of shopper identification (quarkus.http.ssl.client-auth) and the truststore of the server, which are the identities that the server will belief:

# Disallowing http entry
quarkus.http.insecure-requests=disabled

# Configure https port
quarkus.http.ssl-port=8445

# Server Certificates
quarkus.http.ssl.certificates.key-store-file=./server-keystore.jks
quarkus.http.ssl.certificates.key-store-password=server-password

# Require shopper identification
quarkus.http.ssl.client-auth=required
quarkus.http.ssl.certificates.trust-store-file=./server-truststore-clients.jks
quarkus.http.ssl.certificates.trust-store-password=authorized-clients-password
Enter fullscreen mode

Exit fullscreen mode

Begin server:



Check from Quarkus Shopper

Begin shopper:

Execute shopper endpoint that consumes server endpoint:

$ curl localhost:8080/hiya

io.netty.handler.codec.DecoderException: javax.internet.ssl.SSLHandshakeException: Obtained deadly alert: bad_certificate
...
Brought on by: javax.internet.ssl.SSLHandshakeException: Obtained deadly alert: bad_certificate
Enter fullscreen mode

Exit fullscreen mode



Check from curl

$ curl -k https://localhost:8445

curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert unhealthy certificates, errno 0
Enter fullscreen mode

Exit fullscreen mode



Check – Server with mutual TLS and shopper inform its certificates

Add the shopper certificates:

# Relaxation shopper particular Belief Retailer
quarkus.rest-client.server-api.trust-store=./client-truststore.jks
quarkus.rest-client.server-api.trust-store-password=server-password

# Relaxation Shopper particular Key Retailer
quarkus.rest-client.server-api.key-store=./client-a-keystore.jks
quarkus.rest-client.server-api.key-store-password=client-a-password
Enter fullscreen mode

Exit fullscreen mode

Begin shopper:

Execute shopper endpoint that consumes server endpoint:

$ curl localhost:8080/hiya

Howdy from server
Enter fullscreen mode

Exit fullscreen mode

You may add any of the shopper keystores which are on the truststore of the server, which are client-a-keystore.jks (client-a-password) or client-b-keystore.jks (client-b-password).



Credit

https://quarkus.io/guides/security-authentication-mechanisms-concept#mutual-tls

https://quarkus.io/blog/quarkus-mutual-tls/

https://quarkus.io/guides/http-reference


  1. https://chat.openai.com/ 

  2. https://en.wikipedia.org/wiki/Transport_Layer_Security 

  3. https://www.digicert.com/tls-ssl/tls-ssl-certificates#:~:text=Transport%20Layer%20Security%20(TLS)%20certificates,visiting%2C%20and%20the%20website%20server

The Article was Inspired from tech community site.
Contact us if this is inspired from your article and we will give you credit for it for serving the community.

This Banner is For Sale !!
Get your ad here for a week in 20$ only and get upto 10k Tech related traffic daily !!!

Leave a Reply

Your email address will not be published. Required fields are marked *

Want to Contribute to us or want to have 15k+ Audience read your Article ? Or Just want to make a strong Backlink?