2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > What is the concept of a "truststore" other than a collection of trusted > certificates? If you don't trust the certificate then don't put it in > there... :-)
Yes, it's true. :-) But , what is a CA certificate chain for ? I would like don't have to verify the trustability of a certificate manually before importing it. Regards > > Colm. > > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <[email protected]> > wrote: > >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> > No, if the certificate itself is in the truststore then it is deemed to >> be >> > trusted - the CA certificate does not need to be in there as well. >> > >> > Colm. >> >> >> Thanks. >> Is this the standard behaviour in JSSE ? >> I think that it should be validated all CA in the chain, to be sure >> the certificate is signed by trusted CA >> >> >> > >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < >> [email protected]> >> > wrote: >> > >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> >> > I did a quick test using CXF's WebClient doing a "GET" on >> >> > https://www.google.com. It works fine when you don't specify any >> >> > TLSClientParameters as expected, as it picks up the default cacerts. >> >> > However, when I added the following it fails (also as expected): >> >> > >> >> > <http:conduit name="https://.*";> >> >> > <http:tlsClientParameters disableCNCheck="true"> >> >> > <sec:trustManagers> >> >> > <sec:keyStore type="jks" password="cspass" >> >> > resource="clientstore.jks"/> >> >> > </sec:trustManagers> >> >> > </http:tlsClientParameters> >> >> > </http:conduit> >> >> > >> >> > Colm. >> >> >> >> OK. That's right. >> >> But , if you import Google certificate into clientstore.jks but you >> >> don't import its CA certificate ( GeoTrust CA , in this case ), should >> >> it fail ? This is my question >> >> I don't know what is the validation path that JSSE follows >> >> >> >> Regards >> >> >> >> >> >> >> >> > >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < >> >> [email protected]> >> >> > wrote: >> >> > >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: >> >> >> > What I meant is that you do use a self signed cert to sign a >> >> previously >> >> >> > generated certificate but do not import this self signed cert into >> the >> >> >> > truststore which would emulate the same situation you have now >> without >> >> >> > having to provide a test where well known providers sign a given >> >> server >> >> >> > certificate. >> >> >> >> >> >> OK >> >> >> I'll try it >> >> >> >> >> >> Thanks >> >> >> >> >> >> > >> >> >> > Sergey >> >> >> > >> >> >> > >> >> >> > >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: >> >> >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected] >> >: >> >> >> >>> >> >> >> >>> Hi >> >> >> >>> >> >> >> >>> I guess this is what Colm is implying, that the actual problem >> that >> >> it >> >> >> >>> does >> >> >> >>> work. >> >> >> >>> Can it be reproduced by a given server certificate with a >> >> self-signed >> >> >> >>> certificate validating it ? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it >> . >> >> >> >> >> >> >> >> With a self signed certificate , the behaviour also is the same >> >> >> >> But that makes sense ( for me ) , because your CA is yourself, so >> you >> >> >> >> could trust on it ( if the certificate is imported into your >> keystore >> >> >> >> ) >> >> >> >> >> >> >> >> Regards >> >> >> >> >> >> >> >> >> >> >> >>> >> >> >> >>> Cheers, Sergey >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < >> >> [email protected]>: >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> It does, but only if no truststore has been configured in CXF. >> Do >> >> you >> >> >> >>>>> have a >> >> >> >>>>> test-case that reproduces this problem? >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> Thanks, not really >> >> >> >>>> Indeed, it's not a problem because my client works fine , but I >> >> cannot >> >> >> >>>> understand why. I only imported the server certificate, no the >> >> others >> >> >> >>>> in chain >> >> >> >>>> >> >> >> >>>> As I don't know how the underlying certificate validation is >> >> performed >> >> >> >>>> , I don't know if this behaviour is caused by default settings >> in >> >> CXF >> >> >> >>>> or another reason. >> >> >> >>>> >> >> >> >>>> Regards >> >> >> >>>> >> >> >> >>>> >> >> >> >>>>> >> >> >> >>>>> Colm. >> >> >> >>>>> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >> >> >> >>>>> <[email protected]> >> >> >> >>>>> wrote: >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < >> >> [email protected] >> >> >> >: >> >> >> >>>>>>> >> >> >> >>>>>>> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to >> specify a >> >> key >> >> >> >>>>>>> for >> >> >> >>>>>>> client authentication. "trustManagers" is used to verify >> trust >> >> in >> >> >> the >> >> >> >>>>>>> server's cert. As you have no "trustManagers" configuration >> >> here, I >> >> >> >>>>>>> guess >> >> >> >>>>>>> it is falling back on the default JVM settings >> >> >> >>>>>>> (javax.net.ssl.trustStore) >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers >> >> >> >>>>>> >> >> >> >>>>>> <sec:trustManagers> >> >> >> >>>>>> <sec:keyStore type="JKS" password="*******" >> >> >> >>>>>> resource="truststore.jks"/> >> >> >> >>>>>> </sec:trustManagers> >> >> >> >>>>>> <sec:cipherSuitesFilter> >> >> >> >>>>>> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS >> >> >> implementation ) >> >> >> >>>>>> uses default JVM truststore for checking certificates ? >> >> >> >>>>>> >> >> >> >>>>>> Thanks >> >> >> >>>>>> >> >> >> >>>>>>> >> >> >> >>>>>>> Colm. >> >> >> >>>>>>> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >> >> >> >>>>>>> <[email protected]> >> >> >> >>>>>>> wrote: >> >> >> >>>>>>> >> >> >> >>>>>>>> Hello: >> >> >> >>>>>>>> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to >> understand >> >> why >> >> >> my >> >> >> >>>>>>>> client works. >> >> >> >>>>>>>> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL >> /TLS) >> >> >> >>>>>>>> This is my settings: >> >> >> >>>>>>>> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> >> >> >> >>>>>>>> <http-conf:tlsClientParameters> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >> >> >> >>>>>>>> resource="truststore.jks"/> >> >> >> >>>>>>>> </sec:keyManagers> >> >> >> >>>>>>>> >> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks >> >> >> >>>>>>>> And it works fine. >> >> >> >>>>>>>> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . >> >> godaddy.com) >> >> >> , >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate from >> >> godaddy >> >> >> >>>>>>>> Why does my client trust in the server certificate ? >> >> >> >>>>>>>> Is not performed some Certification Path Validation >> process ? >> >> >> >>>>>>>> >> >> >> >>>>>>>> Thanks and regards >> >> >> >>>>>>>> >> >> >> >>>>>>> >> >> >> >>>>>>> >> >> >> >>>>>>> >> >> >> >>>>>>> -- >> >> >> >>>>>>> Colm O hEigeartaigh >> >> >> >>>>>>> >> >> >> >>>>>>> Talend Community Coder >> >> >> >>>>>>> http://coders.talend.com >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> >> >> >> >>>>> -- >> >> >> >>>>> Colm O hEigeartaigh >> >> >> >>>>> >> >> >> >>>>> Talend Community Coder >> >> >> >>>>> http://coders.talend.com >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> -- >> >> >> >>> Sergey Beryozkin >> >> >> >>> >> >> >> >>> Talend Community Coders >> >> >> >>> http://coders.talend.com/ >> >> >> >>> >> >> >> >>> Blog: http://sberyozkin.blogspot.com >> >> >> > >> >> >> > >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > Colm O hEigeartaigh >> >> > >> >> > Talend Community Coder >> >> > http://coders.talend.com >> >> >> > >> > >> > >> > -- >> > Colm O hEigeartaigh >> > >> > Talend Community Coder >> > http://coders.talend.com >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
