From 401979854eb86c534a24e95c47774e9e8f900bdf Mon Sep 17 00:00:00 2001
From: Markus Winter <m.winter@sap.com>
Date: Wed, 6 Dec 2023 03:06:08 +0100
Subject: [PATCH] optional client certificate (#354)

* optional client certificate

fix #353

---------

Co-authored-by: Olivier Lamy <olamy@apache.org>
---
 .../AbstractSecuredConnectorFactory.java      | 23 +++++++++++--------
 src/main/java/winstone/cmdline/Option.java    |  2 +-
 .../winstone/LocalStrings.properties          |  2 ++
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/main/java/winstone/AbstractSecuredConnectorFactory.java b/src/main/java/winstone/AbstractSecuredConnectorFactory.java
index ae89587b..08fea469 100644
--- a/src/main/java/winstone/AbstractSecuredConnectorFactory.java
+++ b/src/main/java/winstone/AbstractSecuredConnectorFactory.java
@@ -7,6 +7,7 @@
 
 package winstone;
 
+import java.util.Locale;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import winstone.cmdline.Option;
@@ -118,16 +119,18 @@ protected SslContextFactory.Server getSSLContext( Map<String, String> args) {
                         "HttpsListener.ExcludeCiphers", //
                         Arrays.asList(ssl.getExcludeCipherSuites()));
 
-            /*
-             * If true, request the client certificate ala "SSLVerifyClient require" Apache directive.
-             * If false, which is the default, don't do so.
-             * Technically speaking, there's the equivalent of "SSLVerifyClient optional", but IE doesn't
-             * recognize it and it always prompt the certificate chooser dialog box, so in practice
-             * it's useless.
-             * <p>
-             * See http://hudson.361315.n4.nabble.com/winstone-container-and-ssl-td383501.html for this failure mode in IE.
-             */
-            ssl.setNeedClientAuth(Option.HTTPS_VERIFY_CLIENT.get(args));
+            switch (Option.HTTPS_VERIFY_CLIENT.get(args).toLowerCase(Locale.ROOT)) {
+                case "yes":
+                case "true":
+                    ssl.setNeedClientAuth(true);
+                    break;
+                case "optional":
+                    ssl.setWantClientAuth(true);
+                    break;
+                default:
+                   ssl.setNeedClientAuth(false);
+                   break;
+            }
             return ssl;
         } catch (Throwable err) {
             throw new WinstoneException(SSL_RESOURCES
diff --git a/src/main/java/winstone/cmdline/Option.java b/src/main/java/winstone/cmdline/Option.java
index c859396a..4aaa8f8e 100644
--- a/src/main/java/winstone/cmdline/Option.java
+++ b/src/main/java/winstone/cmdline/Option.java
@@ -69,7 +69,7 @@ public static List<Option<?>> all(Class<?> clazz) {
     public static final OString HTTPS_KEY_STORE_PASSWORD=string("httpsKeyStorePassword");
     public static final OString HTTPS_PRIVATE_KEY_PASSWORD=string("httpsPrivateKeyPassword");
     public static final OString HTTPS_KEY_MANAGER_TYPE=string("httpsKeyManagerType","SunX509");
-    public static final OBoolean HTTPS_VERIFY_CLIENT=bool("httpsVerifyClient",false);
+    public static final OString HTTPS_VERIFY_CLIENT=string("httpsVerifyClient","false");
     public static final OString HTTPS_CERTIFICATE_ALIAS=string("httpsCertificateAlias");
     public static final OString HTTPS_EXCLUDE_PROTOCOLS=string("excludeProtocols", "SSL, SSLv2, SSLv2Hello, SSLv3");
     public static final OString HTTPS_EXCLUDE_CIPHER_SUITES=string("excludeCipherSuites");
diff --git a/src/main/resources/winstone/LocalStrings.properties b/src/main/resources/winstone/LocalStrings.properties
index b277a53a..e67d4543 100644
--- a/src/main/resources/winstone/LocalStrings.properties
+++ b/src/main/resources/winstone/LocalStrings.properties
@@ -78,6 +78,8 @@ Launcher.UsageInstructions.Options=\
 \   --httpsSniHostCheck      = if the SNI Host name must match when there is an SNI certificate. Check disabled per default\n\
 \   --httpsSniRequired       = if a SNI certificate is required. Disabled per default\n\
 \   --http2ListenAddress     = set the http2 listening address. Default is all interfaces\n\
+\   --httpsVerifyClient      = if the client needs a certificate. Can be true (clients always needs a certificate),\n\
+\                              optional or false.\n\
 \   --excludeProtocols       = set protocol versions to exclude. (comma separated list, use blank quote " " to exclude none)\n\
 \                              (default is "SSL", "SSLv2", "SSLv2Hello", "SSLv3")\n\
 \   --excludeCipherSuites    = set the ciphers to exclude (comma separated, use blank quote " " to exclude none) (default is\n\