I'm trying to make a ssl webserver with jetty, but I do not want to provide the server certificate if any client tries to connect. On normal cases anybody can download the server certificate, trust and connect to the server. But I would like to install the server certificate manuelly on my client to be sure, that only my client has that cert and can connect to my server.
Is that possible? I didn't find anything around the web related to Jetty.
I'm playing with some example code and my truststore. Nothing special.
final Server server = new Server();
server.setHandler(new HelloWorld());
final HttpConfiguration httpConfiguration = new HttpConfiguration();
httpConfiguration.setSecureScheme("https");
httpConfiguration.setSecurePort(8085);
final ServerConnector http = new ServerConnector(server,
new HttpConnectionFactory(httpConfiguration));
http.setPort(8081);
server.addConnector(http);
final SslContextFactory sslContextFactory = new SslContextFactory("mykey.jks");
sslContextFactory.setKeyStorePassword("tester");
sslContextFactory.setNeedClientAuth(true);
final HttpConfiguration httpsConfiguration = new HttpConfiguration(httpConfiguration);
httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
final ServerConnector httpsConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(httpsConfiguration));
httpsConnector.setPort(8085);
server.addConnector(httpsConnector);
server.start();
server.join();
I know, that's a special usecase. If there is a better solution, let me know (and no, login session is no option for me). It has to be as simple as it is possible.
Instead of attempting security though obscurity you should implement Two Way SSL. You can take a look at 2-Way SSL with Java: The Keystore Strikes Back article.
The client can always blindly trust or ignore any certificate presented by the server. As long as someone knows the server address they will be able to make a request.