jenkinsci · olamy · Dec 6, 2023 · Nov 10, 2023 · Nov 10, 2023 · Nov 10, 2023
diff --git a/src/main/java/winstone/AbstractSecuredConnectorFactory.java b/src/main/java/winstone/AbstractSecuredConnectorFactory.java
@@ -7,6 +7,7 @@
 
 package winstone;
 
+import java.util.Locale;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import winstone.cmdline.Option;
@@ -118,16 +119,17 @@
                         "HttpsListener.ExcludeCiphers", //
                         Arrays.asList(ssl.getExcludeCipherSuites()));
 
-            /*
-             * If true, request the client certificate ala "SSLVerifyClient require" Apache directive.
-             * If false, which is the default, don't do so.
-             * Technically speaking, there's the equivalent of "SSLVerifyClient optional", but IE doesn't
-             * recognize it and it always prompt the certificate chooser dialog box, so in practice
-             * it's useless.
-             * <p>
-             * See http://hudson.361315.n4.nabble.com/winstone-container-and-ssl-td383501.html for this failure mode in IE.
-             */
-            ssl.setNeedClientAuth(Option.HTTPS_VERIFY_CLIENT.get(args));
+            switch (Option.HTTPS_VERIFY_CLIENT.get(args).toLowerCase(Locale.ROOT)) {
+                case "yes":
+                case "true":
+                    ssl.setNeedClientAuth(true);
+                    break;
+                case "optional":
+                    ssl.setWantClientAuth(true);
+                    break;
+                default:
+                    break;
+            }
             return ssl;
         } catch (Throwable err) {
             throw new WinstoneException(SSL_RESOURCES

diff --git a/src/main/java/winstone/cmdline/Option.java b/src/main/java/winstone/cmdline/Option.java
@@ -69,7 +69,7 @@ public static List<Option<?>> all(Class<?> clazz) {
     public static final OString HTTPS_KEY_STORE_PASSWORD=string("httpsKeyStorePassword");
     public static final OString HTTPS_PRIVATE_KEY_PASSWORD=string("httpsPrivateKeyPassword");
     public static final OString HTTPS_KEY_MANAGER_TYPE=string("httpsKeyManagerType","SunX509");
-    public static final OBoolean HTTPS_VERIFY_CLIENT=bool("httpsVerifyClient",false);
+    public static final OString HTTPS_VERIFY_CLIENT=string("httpsVerifyClient","false");
     public static final OString HTTPS_CERTIFICATE_ALIAS=string("httpsCertificateAlias");
     public static final OString HTTPS_EXCLUDE_PROTOCOLS=string("excludeProtocols", "SSL, SSLv2, SSLv2Hello, SSLv3");
     public static final OString HTTPS_EXCLUDE_CIPHER_SUITES=string("excludeCipherSuites");