[jira] Resolved: (DERBY-2803) SSL certificate authentication succeeds unexpectedly

[Bernt M. Johnsen (JIRA)]

     [ 
https://issues.apache.org/jira/browse/DERBY-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bernt M. Johnsen resolved DERBY-2803.
-------------------------------------

    Resolution: Fixed

Committed revision 551080  on trunk
Committed revision 551084 on 10.3 branch


> SSL certificate authentication succeeds unexpectedly
> ----------------------------------------------------
>
>                 Key: DERBY-2803
>                 URL: https://issues.apache.org/jira/browse/DERBY-2803
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation, Security
>    Affects Versions: 10.3.0.0
>            Reporter: Rick Hillegas
>            Assignee: Bernt M. Johnsen
>             Fix For: 10.3.1.1, 10.4.0.0
>
>         Attachments: DERBY-2803-v2.diff, DERBY-2803-v2.stat, 
> DERBY-2803-v2.zip, DERBY-2803-v2.zip, DERBY-2803-v3.diff, DERBY-2803-v3.stat, 
> DERBY-2803.diff, DERBY-2803.stat, DERBY-2803.zip
>
>
> The following bug report may simply be pilot error. I confess that I am 
> having a hard time understanding the user documentation for this feature. The 
> user documentation is found in the Derby Admin guide in the section titled 
> "SSL/TLS". My confusion arises from the fact that sometimes the documentation 
> talks about 3 SSL states (none, basic, peer) and sometimes the documentation 
> talks about 4 SSL states (none, basic, client certificate, server 
> certificate).
> I tried running an experiment in which the server was setup for "Basic SSL 
> encryption":
> 1) I successfully connected to the server when the client was setup for 
> "Basic SSL encryption". This I expected so good.
> 2) I also successfully connected to the server when the client was setup for 
> "peer (server) authentication". This confused me because the client url was 
> requesting peer authentication but the server was booted with just basic ssl 
> authentication. That is, the client url requested "ssl=peerAuthentication" 
> but the server startup line requested "ssl=basic". I was surprised that the 
> two sides of the connection didn't have to agree on how much authentication 
> was going to be done.
> 3) I also successfully connected to the server when the client was setup for 
> "peer authentication on both sides". This really confused me: It seemed to me 
> that there were 2 certificates involved, but the server, via its startup 
> properties, should only have been aware of one of these certificates, viz., 
> the certificate identified by the javax.net.ssl.keyStore properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.