Skip to content

Commit

Permalink
Also accept FAILED SSL verify header (for self signed).
Browse files Browse the repository at this point in the history
  • Loading branch information
@sbusk
sbusk committed Jun 22, 2020
1 parent 9ffb842 commit 5381762
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions whois-api/src/main/java/net/ripe/db/whois/api/rest/ClientCertificateExtractor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,22 @@ public static Optional<X509CertificateWrapper> getClientCertificate(final HttpSe
return Optional.empty();
}

final String sslClientVerify = request.getHeader(HEADER_SSL_CLIENT_VERIFY);
if (!"GENEROUS".equals(sslClientVerify) && !"SUCCESS".equals(sslClientVerify)) {
if (!hasAcceptableVerifyHeader(request)) {
return Optional.empty();
}

return getX509Certificate(sslClientCert, dateTimeProvider);
}

private static boolean hasAcceptableVerifyHeader(final HttpServletRequest request) {
final String sslClientVerify = request.getHeader(HEADER_SSL_CLIENT_VERIFY);

return StringUtils.isNotEmpty(sslClientVerify) &&
("GENEROUS".equals(sslClientVerify) ||
"SUCCESS".equals(sslClientVerify) ||
sslClientVerify.startsWith("FAILED"));
}

private static Optional<X509CertificateWrapper> getX509Certificate(final String certificate,
final DateTimeProvider dateTimeProvider) {
String fingerprint;
Expand Down

1 comment on commit 5381762

@eshryane
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. We have to also allow FAILED for "FAILED:self signed certificate" case.

Please sign in to comment.