What is the concept of a "truststore" other than a collection of trusted certificates? If you don't trust the certificate then don't put it in there... :-)
Colm. On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <[email protected]> wrote: > 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > > No, if the certificate itself is in the truststore then it is deemed to > be > > trusted - the CA certificate does not need to be in there as well. > > > > Colm. > > > Thanks. > Is this the standard behaviour in JSSE ? > I think that it should be validated all CA in the chain, to be sure > the certificate is signed by trusted CA > > > > > > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < > [email protected]> > > wrote: > > > >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > >> > I did a quick test using CXF's WebClient doing a "GET" on > >> > https://www.google.com. It works fine when you don't specify any > >> > TLSClientParameters as expected, as it picks up the default cacerts. > >> > However, when I added the following it fails (also as expected): > >> > > >> > <http:conduit name="https://.*";> > >> > <http:tlsClientParameters disableCNCheck="true"> > >> > <sec:trustManagers> > >> > <sec:keyStore type="jks" password="cspass" > >> > resource="clientstore.jks"/> > >> > </sec:trustManagers> > >> > </http:tlsClientParameters> > >> > </http:conduit> > >> > > >> > Colm. > >> > >> OK. That's right. > >> But , if you import Google certificate into clientstore.jks but you > >> don't import its CA certificate ( GeoTrust CA , in this case ), should > >> it fail ? This is my question > >> I don't know what is the validation path that JSSE follows > >> > >> Regards > >> > >> > >> > >> > > >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < > >> [email protected]> > >> > wrote: > >> > > >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: > >> >> > What I meant is that you do use a self signed cert to sign a > >> previously > >> >> > generated certificate but do not import this self signed cert into > the > >> >> > truststore which would emulate the same situation you have now > without > >> >> > having to provide a test where well known providers sign a given > >> server > >> >> > certificate. > >> >> > >> >> OK > >> >> I'll try it > >> >> > >> >> Thanks > >> >> > >> >> > > >> >> > Sergey > >> >> > > >> >> > > >> >> > > >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: > >> >> >> > >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected] > >: > >> >> >>> > >> >> >>> Hi > >> >> >>> > >> >> >>> I guess this is what Colm is implying, that the actual problem > that > >> it > >> >> >>> does > >> >> >>> work. > >> >> >>> Can it be reproduced by a given server certificate with a > >> self-signed > >> >> >>> certificate validating it ? > >> >> >> > >> >> >> > >> >> >> > >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it > . > >> >> >> > >> >> >> With a self signed certificate , the behaviour also is the same > >> >> >> But that makes sense ( for me ) , because your CA is yourself, so > you > >> >> >> could trust on it ( if the certificate is imported into your > keystore > >> >> >> ) > >> >> >> > >> >> >> Regards > >> >> >> > >> >> >> > >> >> >>> > >> >> >>> Cheers, Sergey > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: > >> >> >>>> > >> >> >>>> > >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < > >> [email protected]>: > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> It does, but only if no truststore has been configured in CXF. > Do > >> you > >> >> >>>>> have a > >> >> >>>>> test-case that reproduces this problem? > >> >> >>>> > >> >> >>>> > >> >> >>>> > >> >> >>>> > >> >> >>>> Thanks, not really > >> >> >>>> Indeed, it's not a problem because my client works fine , but I > >> cannot > >> >> >>>> understand why. I only imported the server certificate, no the > >> others > >> >> >>>> in chain > >> >> >>>> > >> >> >>>> As I don't know how the underlying certificate validation is > >> performed > >> >> >>>> , I don't know if this behaviour is caused by default settings > in > >> CXF > >> >> >>>> or another reason. > >> >> >>>> > >> >> >>>> Regards > >> >> >>>> > >> >> >>>> > >> >> >>>>> > >> >> >>>>> Colm. > >> >> >>>>> > >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza > >> >> >>>>> <[email protected]> > >> >> >>>>> wrote: > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < > >> [email protected] > >> >> >: > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the > >> >> >>>>>>> configuration. "keyManagers" is used when you need to > specify a > >> key > >> >> >>>>>>> for > >> >> >>>>>>> client authentication. "trustManagers" is used to verify > trust > >> in > >> >> the > >> >> >>>>>>> server's cert. As you have no "trustManagers" configuration > >> here, I > >> >> >>>>>>> guess > >> >> >>>>>>> it is falling back on the default JVM settings > >> >> >>>>>>> (javax.net.ssl.trustStore) > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers > >> >> >>>>>> > >> >> >>>>>> <sec:trustManagers> > >> >> >>>>>> <sec:keyStore type="JKS" password="*******" > >> >> >>>>>> resource="truststore.jks"/> > >> >> >>>>>> </sec:trustManagers> > >> >> >>>>>> <sec:cipherSuitesFilter> > >> >> >>>>>> > >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS > >> >> implementation ) > >> >> >>>>>> uses default JVM truststore for checking certificates ? > >> >> >>>>>> > >> >> >>>>>> Thanks > >> >> >>>>>> > >> >> >>>>>>> > >> >> >>>>>>> Colm. > >> >> >>>>>>> > >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza > >> >> >>>>>>> <[email protected]> > >> >> >>>>>>> wrote: > >> >> >>>>>>> > >> >> >>>>>>>> Hello: > >> >> >>>>>>>> > >> >> >>>>>>>> Maybe this question a bit off topic , but I try to > understand > >> why > >> >> my > >> >> >>>>>>>> client works. > >> >> >>>>>>>> > >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL > /TLS) > >> >> >>>>>>>> This is my settings: > >> >> >>>>>>>> > >> >> >>>>>>>> <http-conf:conduit name="https://.*";> > >> >> >>>>>>>> <http-conf:tlsClientParameters> > >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> > >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" > >> >> >>>>>>>> resource="truststore.jks"/> > >> >> >>>>>>>> </sec:keyManagers> > >> >> >>>>>>>> > >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks > >> >> >>>>>>>> And it works fine. > >> >> >>>>>>>> > >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . > >> godaddy.com) > >> >> , > >> >> >>>>>>>> and ( I think ) I don't have imported any certificate from > >> godaddy > >> >> >>>>>>>> Why does my client trust in the server certificate ? > >> >> >>>>>>>> Is not performed some Certification Path Validation > process ? > >> >> >>>>>>>> > >> >> >>>>>>>> Thanks and regards > >> >> >>>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> -- > >> >> >>>>>>> Colm O hEigeartaigh > >> >> >>>>>>> > >> >> >>>>>>> Talend Community Coder > >> >> >>>>>>> http://coders.talend.com > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> -- > >> >> >>>>> Colm O hEigeartaigh > >> >> >>>>> > >> >> >>>>> Talend Community Coder > >> >> >>>>> http://coders.talend.com > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> -- > >> >> >>> Sergey Beryozkin > >> >> >>> > >> >> >>> Talend Community Coders > >> >> >>> http://coders.talend.com/ > >> >> >>> > >> >> >>> Blog: http://sberyozkin.blogspot.com > >> >> > > >> >> > > >> >> > >> > > >> > > >> > > >> > -- > >> > Colm O hEigeartaigh > >> > > >> > Talend Community Coder > >> > http://coders.talend.com > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
