Also, I could not find any code that does hostname verification from the client side, which is described as something that should be done when using a raw SSLEngine. (I'm now obviously reading the JSSE docs :-)
BTW I'm asking these questions to verify that my understanding is correct, and as a basis for contributing to fix stuff in SSL support (if something is missing) since I find it an interesting topic. On Monday, February 10, 2014 6:09:55 PM UTC+1, Raymond Roestenburg wrote: > > Hi guys, > > I'm working on a pull request for adding SSL support to ReactiveMongo. > ReactiveMongo uses Netty and I remembered that akka-remote has a nice > NettySSLSupport, so I'm obviously borrowing stuff (not without copying in > the license and reference to Typesafe and akka of course!). Sadly I can't > reuse the NettySSLSupport class since it's private to akka. I got basic SSL > working this way, and I'm now looking into client certificates. > And that's where I'm getting a bit confused :-) > > In the docs I see: > > > 1. # This is the Java Key Store used by the client connection > 2. trust-store = "truststore" > > > The trust store is the keystore that you only keep trusted certificates > in, like cacerts (public certs that you trust) as far as I know. > > Is client-authentication (client-side certificates) supported? the client > certificates are normally not put in a truststore but in a separate > keystore, since (If I'm correct) SSL/TLS needs both your client certificate > and your client private key for the whole process. > It looks like the configured "key-store" value is only used on the server > side, so I would not be able to put client certificates there on the client > side? > Does this mean that, when I have Server A and B, that I need to put the > client certificates of A on B, and of B on A, in the file that key-store > refers to in the config? This is a bit confusing for me. The client should > present it's certificate when the server requests client-authentication. > > Also, I don't see code that uses setNeedClientAuth or setWantClientAuth, > or any way to configure it, so looks like you can't say that the server > wants or requires client certs. > Is that correct? > > Another thing that might be nice is to allow users to use SSL without > having to specify the exact location of the keystores and use the defaults > (which can work for SSL without client certificates, using the cacerts that > comes with the JDK, and using the default SecureRandom etc.). > > I haven't looked into SSL for a while so It's very possible I'm > misunderstanding. > > Cheers, > Ray > > > -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: http://akka.io/faq/ >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/groups/opt_out.
