On Mon, 2011-03-07 at 09:02 -0800, am am wrote:
> I have a question relating httpclient and ssl connections.
> I have no problem connecting to tomcat for server authentication using apache
> httpclient (tomcat is sending back a self-signed certificate i.e. not trusted
> by
> java by default).
> Actually I have configured ssl to use my own trustmanager in order to use my
> custom truststore and not java's default. The code is as follows:
>
>
> HttpClient client = new DefaultHttpClient();
> SSLContext sslContext = SSLContext.getInstance("TLS");
>
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> KeyStore ks = KeyStore.getInstance("JKS");
> File trustFile = new File("clientTrustStore.jks");
> ks.load(new FileInputStream(trustFile), null);
> tmf.init(ks);
> sslContext.init(null, tmf.getTrustManagers(),null);
> SSLSocketFactory sf = new SSLSocketFactory(sslContext);
> sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
> Scheme scheme = new Scheme("https", sf, 443);
> client.getConnectionManager().getSchemeRegistry().register(scheme);
> httpGet = new HttpGet("https://localhost:8443/myApp";);
> HttpResponse httpResponse = client.execute(httpGet);
> Ok so far.
> I enabled java debugging for ssl:
>
> System.setProperty("javax.net.debug", "ssl");
> to see what is going on, and I noticed that both my "clientTrustStore.jks" as
> well as cacerts (java's default) are being used (this is what shows from
> debug
> info).
>
> My question is why is this happening? I was expecting that only my
> trust-store
> would be used. Am I doing something wrong in the configuration? Sample
> debugging
> traces:
>
> ***
> adding as trusted cert:
> Subject: CN=Me, OU=MyHouse, O=Home, L=X, ST=X, C=BB
> Issuer: CN=Me, OU=MyHouse, O=Home, L=X, ST=X, C=BB
> Algorithm: RSA; Serial number: 0x4d72356b
> Valid from Sat Mar 05 15:06:51 EET 2011 until Fri Jun 03 16:06:51 EEST 2011
> This is my self-signed certificate expected to be send by tomcat during SSL
> handshake
>
> trigger seeding of SecureRandom
> done seeding SecureRandom
>
> trustStore is: C:\Program Files\Java\jre6\lib\security\cacerts
> trustStore type is : jks
> trustStore provider is :
> init truststore
> adding as trusted cert:
> Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
> Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
> Algorithm: RSA; Serial number: 0x4eb200670c035d4f
> Valid from Wed Oct 25 11:36:00 EEST 2006 until Sat Oct 25 11:36:00 EEST 2036
>
> adding as trusted cert:
> Subject: [email protected], CN=http://www.valicert.com/,
> OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.",
> L=ValiCert
> Validation Network
> Issuer: [email protected], CN=http://www.valicert.com/,
> OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.",
> L=ValiCert
> Validation Network
> Algorithm: RSA; Serial number: 0x1
> Valid from Sat Jun 26 01:23:48 EEST 1999 until Wed Jun 26 01:23:48 EEST 2019
>
>
>
I am seeing exactly the same behavior when using a custom trust store
containing just one trusted certificate. For some reason JSSE classes
also parse the default trust store. However, the client appears to trust
only those servers whose certificate chain contains the trusted
certificate explicitly passed to the SSLContext#init method. For
instance, certifcates presented by www.verisign.com are rejected as
untrusted.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
