When setting up Dropwizard for Mutual TLS, is it possible to rely on the CA
roots that are installed on the server's version of Java, or do we need to
explicitly supply a truststore property to the configuration.
Here's my configuration today:
server:
applicationConnectors:
- type: https
port: 8443
# Key store settings
keyStorePath: "{keystore-path}"
keyStorePassword: "{keystore-secret}"
certAlias: server-tls
# Explicitly not setting trust store (rely on system)
# Whether to require authentication by peer certificate.
needClientAuth: true
supportedProtocols: [ "TLSv1.3" ]
allowRenegotiation: true
We have two root certificates installed on the server, the one that the
keystore was signed with and another one that we also trust. When I check
with keytool, I can see that both trust stores are present on the server.
The Java version is Azul Java 11.
keytool -list -cacerts
When we make a client request with a client certificate signed with the
same root as the server's keystore root, mutual TLS authentication
completes successfully. When we make a client request with a client
certificate signed with one of the roots that matches the server's cacerts,
but not the server's keystore root, mutual TLS quits with an error that
indicates that certificate cannot be verified because it cannot find the
root chain.
Is this an error in my understanding? Should Dropwizard not rely on the
root certificate chains that are installed on the server?
Thank you,
Gad
--
You received this message because you are subscribed to the Google Groups
"dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/dropwizard-user/6ef013cd-252c-4e6c-abef-11c157ef8fb0n%40googlegroups.com.
