> But , what is a CA certificate chain for ? I would like don't have to > verify the trustability of a certificate manually before importing it.
When you need to verify trust in a certificate, CXF essentially asks your truststore two questions: a) Is this certificate stored in the truststore (direct trust) b) Is the issuer of this certificate stored in the truststore, and is the cert chain correct, etc. Obviously directly storing certificates in the truststore does not scale. It might be useful for some scenarios though. The normal way of doing things is to just store your trusted CA certs in there. Colm. On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <[email protected]> wrote: > 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > > What is the concept of a "truststore" other than a collection of trusted > > certificates? If you don't trust the certificate then don't put it in > > there... :-) > > Yes, it's true. :-) > But , what is a CA certificate chain for ? I would like don't have to > verify the trustability of a certificate manually before importing it. > > Regards > > > > > > > Colm. > > > > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza < > [email protected]> > > wrote: > > > >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > >> > No, if the certificate itself is in the truststore then it is deemed > to > >> be > >> > trusted - the CA certificate does not need to be in there as well. > >> > > >> > Colm. > >> > >> > >> Thanks. > >> Is this the standard behaviour in JSSE ? > >> I think that it should be validated all CA in the chain, to be sure > >> the certificate is signed by trusted CA > >> > >> > >> > > >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < > >> [email protected]> > >> > wrote: > >> > > >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected] > >: > >> >> > I did a quick test using CXF's WebClient doing a "GET" on > >> >> > https://www.google.com. It works fine when you don't specify any > >> >> > TLSClientParameters as expected, as it picks up the default > cacerts. > >> >> > However, when I added the following it fails (also as expected): > >> >> > > >> >> > <http:conduit name="https://.*";> > >> >> > <http:tlsClientParameters disableCNCheck="true"> > >> >> > <sec:trustManagers> > >> >> > <sec:keyStore type="jks" password="cspass" > >> >> > resource="clientstore.jks"/> > >> >> > </sec:trustManagers> > >> >> > </http:tlsClientParameters> > >> >> > </http:conduit> > >> >> > > >> >> > Colm. > >> >> > >> >> OK. That's right. > >> >> But , if you import Google certificate into clientstore.jks but you > >> >> don't import its CA certificate ( GeoTrust CA , in this case ), > should > >> >> it fail ? This is my question > >> >> I don't know what is the validation path that JSSE follows > >> >> > >> >> Regards > >> >> > >> >> > >> >> > >> >> > > >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < > >> >> [email protected]> > >> >> > wrote: > >> >> > > >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected] > >: > >> >> >> > What I meant is that you do use a self signed cert to sign a > >> >> previously > >> >> >> > generated certificate but do not import this self signed cert > into > >> the > >> >> >> > truststore which would emulate the same situation you have now > >> without > >> >> >> > having to provide a test where well known providers sign a given > >> >> server > >> >> >> > certificate. > >> >> >> > >> >> >> OK > >> >> >> I'll try it > >> >> >> > >> >> >> Thanks > >> >> >> > >> >> >> > > >> >> >> > Sergey > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: > >> >> >> >> > >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin < > [email protected] > >> >: > >> >> >> >>> > >> >> >> >>> Hi > >> >> >> >>> > >> >> >> >>> I guess this is what Colm is implying, that the actual problem > >> that > >> >> it > >> >> >> >>> does > >> >> >> >>> work. > >> >> >> >>> Can it be reproduced by a given server certificate with a > >> >> self-signed > >> >> >> >>> certificate validating it ? > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce > it > >> . > >> >> >> >> > >> >> >> >> With a self signed certificate , the behaviour also is the same > >> >> >> >> But that makes sense ( for me ) , because your CA is yourself, > so > >> you > >> >> >> >> could trust on it ( if the certificate is imported into your > >> keystore > >> >> >> >> ) > >> >> >> >> > >> >> >> >> Regards > >> >> >> >> > >> >> >> >> > >> >> >> >>> > >> >> >> >>> Cheers, Sergey > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: > >> >> >> >>>> > >> >> >> >>>> > >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < > >> >> [email protected]>: > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> It does, but only if no truststore has been configured in > CXF. > >> Do > >> >> you > >> >> >> >>>>> have a > >> >> >> >>>>> test-case that reproduces this problem? > >> >> >> >>>> > >> >> >> >>>> > >> >> >> >>>> > >> >> >> >>>> > >> >> >> >>>> Thanks, not really > >> >> >> >>>> Indeed, it's not a problem because my client works fine , > but I > >> >> cannot > >> >> >> >>>> understand why. I only imported the server certificate, no > the > >> >> others > >> >> >> >>>> in chain > >> >> >> >>>> > >> >> >> >>>> As I don't know how the underlying certificate validation is > >> >> performed > >> >> >> >>>> , I don't know if this behaviour is caused by default > settings > >> in > >> >> CXF > >> >> >> >>>> or another reason. > >> >> >> >>>> > >> >> >> >>>> Regards > >> >> >> >>>> > >> >> >> >>>> > >> >> >> >>>>> > >> >> >> >>>>> Colm. > >> >> >> >>>>> > >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza > >> >> >> >>>>> <[email protected]> > >> >> >> >>>>> wrote: > >> >> >> >>>>>> > >> >> >> >>>>>> > >> >> >> >>>>>> > >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < > >> >> [email protected] > >> >> >> >: > >> >> >> >>>>>>> > >> >> >> >>>>>>> > >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in > the > >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to > >> specify a > >> >> key > >> >> >> >>>>>>> for > >> >> >> >>>>>>> client authentication. "trustManagers" is used to verify > >> trust > >> >> in > >> >> >> the > >> >> >> >>>>>>> server's cert. As you have no "trustManagers" > configuration > >> >> here, I > >> >> >> >>>>>>> guess > >> >> >> >>>>>>> it is falling back on the default JVM settings > >> >> >> >>>>>>> (javax.net.ssl.trustStore) > >> >> >> >>>>>> > >> >> >> >>>>>> > >> >> >> >>>>>> > >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers > >> >> >> >>>>>> > >> >> >> >>>>>> <sec:trustManagers> > >> >> >> >>>>>> <sec:keyStore type="JKS" password="*******" > >> >> >> >>>>>> resource="truststore.jks"/> > >> >> >> >>>>>> </sec:trustManagers> > >> >> >> >>>>>> <sec:cipherSuitesFilter> > >> >> >> >>>>>> > >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS > >> >> >> implementation ) > >> >> >> >>>>>> uses default JVM truststore for checking certificates ? > >> >> >> >>>>>> > >> >> >> >>>>>> Thanks > >> >> >> >>>>>> > >> >> >> >>>>>>> > >> >> >> >>>>>>> Colm. > >> >> >> >>>>>>> > >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza > >> >> >> >>>>>>> <[email protected]> > >> >> >> >>>>>>> wrote: > >> >> >> >>>>>>> > >> >> >> >>>>>>>> Hello: > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to > >> understand > >> >> why > >> >> >> my > >> >> >> >>>>>>>> client works. > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL > >> /TLS) > >> >> >> >>>>>>>> This is my settings: > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> > >> >> >> >>>>>>>> <http-conf:tlsClientParameters> > >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> > >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" > >> >> >> >>>>>>>> resource="truststore.jks"/> > >> >> >> >>>>>>>> </sec:keyManagers> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks > >> >> >> >>>>>>>> And it works fine. > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . > >> >> godaddy.com) > >> >> >> , > >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate > from > >> >> godaddy > >> >> >> >>>>>>>> Why does my client trust in the server certificate ? > >> >> >> >>>>>>>> Is not performed some Certification Path Validation > >> process ? > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> Thanks and regards > >> >> >> >>>>>>>> > >> >> >> >>>>>>> > >> >> >> >>>>>>> > >> >> >> >>>>>>> > >> >> >> >>>>>>> -- > >> >> >> >>>>>>> Colm O hEigeartaigh > >> >> >> >>>>>>> > >> >> >> >>>>>>> Talend Community Coder > >> >> >> >>>>>>> http://coders.talend.com > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> > >> >> >> >>>>> -- > >> >> >> >>>>> Colm O hEigeartaigh > >> >> >> >>>>> > >> >> >> >>>>> Talend Community Coder > >> >> >> >>>>> http://coders.talend.com > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> -- > >> >> >> >>> Sergey Beryozkin > >> >> >> >>> > >> >> >> >>> Talend Community Coders > >> >> >> >>> http://coders.talend.com/ > >> >> >> >>> > >> >> >> >>> Blog: http://sberyozkin.blogspot.com > >> >> >> > > >> >> >> > > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Colm O hEigeartaigh > >> >> > > >> >> > Talend Community Coder > >> >> > http://coders.talend.com > >> >> > >> > > >> > > >> > > >> > -- > >> > Colm O hEigeartaigh > >> > > >> > Talend Community Coder > >> > http://coders.talend.com > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
