2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > No, if the certificate itself is in the truststore then it is deemed to be > trusted - the CA certificate does not need to be in there as well. > > Colm.
Thanks. Is this the standard behaviour in JSSE ? I think that it should be validated all CA in the chain, to be sure the certificate is signed by trusted CA > > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <[email protected]> > wrote: > >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> > I did a quick test using CXF's WebClient doing a "GET" on >> > https://www.google.com. It works fine when you don't specify any >> > TLSClientParameters as expected, as it picks up the default cacerts. >> > However, when I added the following it fails (also as expected): >> > >> > <http:conduit name="https://.*";> >> > <http:tlsClientParameters disableCNCheck="true"> >> > <sec:trustManagers> >> > <sec:keyStore type="jks" password="cspass" >> > resource="clientstore.jks"/> >> > </sec:trustManagers> >> > </http:tlsClientParameters> >> > </http:conduit> >> > >> > Colm. >> >> OK. That's right. >> But , if you import Google certificate into clientstore.jks but you >> don't import its CA certificate ( GeoTrust CA , in this case ), should >> it fail ? This is my question >> I don't know what is the validation path that JSSE follows >> >> Regards >> >> >> >> > >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < >> [email protected]> >> > wrote: >> > >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: >> >> > What I meant is that you do use a self signed cert to sign a >> previously >> >> > generated certificate but do not import this self signed cert into the >> >> > truststore which would emulate the same situation you have now without >> >> > having to provide a test where well known providers sign a given >> server >> >> > certificate. >> >> >> >> OK >> >> I'll try it >> >> >> >> Thanks >> >> >> >> > >> >> > Sergey >> >> > >> >> > >> >> > >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>: >> >> >>> >> >> >>> Hi >> >> >>> >> >> >>> I guess this is what Colm is implying, that the actual problem that >> it >> >> >>> does >> >> >>> work. >> >> >>> Can it be reproduced by a given server certificate with a >> self-signed >> >> >>> certificate validating it ? >> >> >> >> >> >> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it . >> >> >> >> >> >> With a self signed certificate , the behaviour also is the same >> >> >> But that makes sense ( for me ) , because your CA is yourself, so you >> >> >> could trust on it ( if the certificate is imported into your keystore >> >> >> ) >> >> >> >> >> >> Regards >> >> >> >> >> >> >> >> >>> >> >> >>> Cheers, Sergey >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: >> >> >>>> >> >> >>>> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < >> [email protected]>: >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> It does, but only if no truststore has been configured in CXF. Do >> you >> >> >>>>> have a >> >> >>>>> test-case that reproduces this problem? >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> Thanks, not really >> >> >>>> Indeed, it's not a problem because my client works fine , but I >> cannot >> >> >>>> understand why. I only imported the server certificate, no the >> others >> >> >>>> in chain >> >> >>>> >> >> >>>> As I don't know how the underlying certificate validation is >> performed >> >> >>>> , I don't know if this behaviour is caused by default settings in >> CXF >> >> >>>> or another reason. >> >> >>>> >> >> >>>> Regards >> >> >>>> >> >> >>>> >> >> >>>>> >> >> >>>>> Colm. >> >> >>>>> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >> >> >>>>> <[email protected]> >> >> >>>>> wrote: >> >> >>>>>> >> >> >>>>>> >> >> >>>>>> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < >> [email protected] >> >> >: >> >> >>>>>>> >> >> >>>>>>> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the >> >> >>>>>>> configuration. "keyManagers" is used when you need to specify a >> key >> >> >>>>>>> for >> >> >>>>>>> client authentication. "trustManagers" is used to verify trust >> in >> >> the >> >> >>>>>>> server's cert. As you have no "trustManagers" configuration >> here, I >> >> >>>>>>> guess >> >> >>>>>>> it is falling back on the default JVM settings >> >> >>>>>>> (javax.net.ssl.trustStore) >> >> >>>>>> >> >> >>>>>> >> >> >>>>>> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers >> >> >>>>>> >> >> >>>>>> <sec:trustManagers> >> >> >>>>>> <sec:keyStore type="JKS" password="*******" >> >> >>>>>> resource="truststore.jks"/> >> >> >>>>>> </sec:trustManagers> >> >> >>>>>> <sec:cipherSuitesFilter> >> >> >>>>>> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS >> >> implementation ) >> >> >>>>>> uses default JVM truststore for checking certificates ? >> >> >>>>>> >> >> >>>>>> Thanks >> >> >>>>>> >> >> >>>>>>> >> >> >>>>>>> Colm. >> >> >>>>>>> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >> >> >>>>>>> <[email protected]> >> >> >>>>>>> wrote: >> >> >>>>>>> >> >> >>>>>>>> Hello: >> >> >>>>>>>> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to understand >> why >> >> my >> >> >>>>>>>> client works. >> >> >>>>>>>> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS) >> >> >>>>>>>> This is my settings: >> >> >>>>>>>> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> >> >> >>>>>>>> <http-conf:tlsClientParameters> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >> >> >>>>>>>> resource="truststore.jks"/> >> >> >>>>>>>> </sec:keyManagers> >> >> >>>>>>>> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks >> >> >>>>>>>> And it works fine. >> >> >>>>>>>> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . >> godaddy.com) >> >> , >> >> >>>>>>>> and ( I think ) I don't have imported any certificate from >> godaddy >> >> >>>>>>>> Why does my client trust in the server certificate ? >> >> >>>>>>>> Is not performed some Certification Path Validation process ? >> >> >>>>>>>> >> >> >>>>>>>> Thanks and regards >> >> >>>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> >>>>>>> -- >> >> >>>>>>> Colm O hEigeartaigh >> >> >>>>>>> >> >> >>>>>>> Talend Community Coder >> >> >>>>>>> http://coders.talend.com >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> -- >> >> >>>>> Colm O hEigeartaigh >> >> >>>>> >> >> >>>>> Talend Community Coder >> >> >>>>> http://coders.talend.com >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> -- >> >> >>> Sergey Beryozkin >> >> >>> >> >> >>> Talend Community Coders >> >> >>> http://coders.talend.com/ >> >> >>> >> >> >>> Blog: http://sberyozkin.blogspot.com >> >> > >> >> > >> >> >> > >> > >> > >> > -- >> > Colm O hEigeartaigh >> > >> > Talend Community Coder >> > http://coders.talend.com >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
