2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> But , what is a CA certificate chain for ? I would like don't have to >> verify the trustability of a certificate manually before importing it. > > When you need to verify trust in a certificate, CXF essentially asks your > truststore two questions: > > a) Is this certificate stored in the truststore (direct trust) > b) Is the issuer of this certificate stored in the truststore, and is the > cert chain correct, etc.
I did't know b) step . That's enough for me , then Thanks > > Obviously directly storing certificates in the truststore does not scale. > It might be useful for some scenarios though. The normal way of doing > things is to just store your trusted CA certs in there. > > Colm. > > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <[email protected]> > wrote: > >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> > What is the concept of a "truststore" other than a collection of trusted >> > certificates? If you don't trust the certificate then don't put it in >> > there... :-) >> >> Yes, it's true. :-) >> But , what is a CA certificate chain for ? I would like don't have to >> verify the trustability of a certificate manually before importing it. >> >> Regards >> >> >> >> > >> > Colm. >> > >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza < >> [email protected]> >> > wrote: >> > >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> >> > No, if the certificate itself is in the truststore then it is deemed >> to >> >> be >> >> > trusted - the CA certificate does not need to be in there as well. >> >> > >> >> > Colm. >> >> >> >> >> >> Thanks. >> >> Is this the standard behaviour in JSSE ? >> >> I think that it should be validated all CA in the chain, to be sure >> >> the certificate is signed by trusted CA >> >> >> >> >> >> > >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < >> >> [email protected]> >> >> > wrote: >> >> > >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected] >> >: >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on >> >> >> > https://www.google.com. It works fine when you don't specify any >> >> >> > TLSClientParameters as expected, as it picks up the default >> cacerts. >> >> >> > However, when I added the following it fails (also as expected): >> >> >> > >> >> >> > <http:conduit name="https://.*";> >> >> >> > <http:tlsClientParameters disableCNCheck="true"> >> >> >> > <sec:trustManagers> >> >> >> > <sec:keyStore type="jks" password="cspass" >> >> >> > resource="clientstore.jks"/> >> >> >> > </sec:trustManagers> >> >> >> > </http:tlsClientParameters> >> >> >> > </http:conduit> >> >> >> > >> >> >> > Colm. >> >> >> >> >> >> OK. That's right. >> >> >> But , if you import Google certificate into clientstore.jks but you >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ), >> should >> >> >> it fail ? This is my question >> >> >> I don't know what is the validation path that JSSE follows >> >> >> >> >> >> Regards >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < >> >> >> [email protected]> >> >> >> > wrote: >> >> >> > >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected] >> >: >> >> >> >> > What I meant is that you do use a self signed cert to sign a >> >> >> previously >> >> >> >> > generated certificate but do not import this self signed cert >> into >> >> the >> >> >> >> > truststore which would emulate the same situation you have now >> >> without >> >> >> >> > having to provide a test where well known providers sign a given >> >> >> server >> >> >> >> > certificate. >> >> >> >> >> >> >> >> OK >> >> >> >> I'll try it >> >> >> >> >> >> >> >> Thanks >> >> >> >> >> >> >> >> > >> >> >> >> > Sergey >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: >> >> >> >> >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin < >> [email protected] >> >> >: >> >> >> >> >>> >> >> >> >> >>> Hi >> >> >> >> >>> >> >> >> >> >>> I guess this is what Colm is implying, that the actual problem >> >> that >> >> >> it >> >> >> >> >>> does >> >> >> >> >>> work. >> >> >> >> >>> Can it be reproduced by a given server certificate with a >> >> >> self-signed >> >> >> >> >>> certificate validating it ? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce >> it >> >> . >> >> >> >> >> >> >> >> >> >> With a self signed certificate , the behaviour also is the same >> >> >> >> >> But that makes sense ( for me ) , because your CA is yourself, >> so >> >> you >> >> >> >> >> could trust on it ( if the certificate is imported into your >> >> keystore >> >> >> >> >> ) >> >> >> >> >> >> >> >> >> >> Regards >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>> >> >> >> >> >>> Cheers, Sergey >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < >> >> >> [email protected]>: >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> It does, but only if no truststore has been configured in >> CXF. >> >> Do >> >> >> you >> >> >> >> >>>>> have a >> >> >> >> >>>>> test-case that reproduces this problem? >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> Thanks, not really >> >> >> >> >>>> Indeed, it's not a problem because my client works fine , >> but I >> >> >> cannot >> >> >> >> >>>> understand why. I only imported the server certificate, no >> the >> >> >> others >> >> >> >> >>>> in chain >> >> >> >> >>>> >> >> >> >> >>>> As I don't know how the underlying certificate validation is >> >> >> performed >> >> >> >> >>>> , I don't know if this behaviour is caused by default >> settings >> >> in >> >> >> CXF >> >> >> >> >>>> or another reason. >> >> >> >> >>>> >> >> >> >> >>>> Regards >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>>> >> >> >> >> >>>>> Colm. >> >> >> >> >>>>> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >> >> >> >> >>>>> <[email protected]> >> >> >> >> >>>>> wrote: >> >> >> >> >>>>>> >> >> >> >> >>>>>> >> >> >> >> >>>>>> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < >> >> >> [email protected] >> >> >> >> >: >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in >> the >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to >> >> specify a >> >> >> key >> >> >> >> >>>>>>> for >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to verify >> >> trust >> >> >> in >> >> >> >> the >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers" >> configuration >> >> >> here, I >> >> >> >> >>>>>>> guess >> >> >> >> >>>>>>> it is falling back on the default JVM settings >> >> >> >> >>>>>>> (javax.net.ssl.trustStore) >> >> >> >> >>>>>> >> >> >> >> >>>>>> >> >> >> >> >>>>>> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers >> >> >> >> >>>>>> >> >> >> >> >>>>>> <sec:trustManagers> >> >> >> >> >>>>>> <sec:keyStore type="JKS" password="*******" >> >> >> >> >>>>>> resource="truststore.jks"/> >> >> >> >> >>>>>> </sec:trustManagers> >> >> >> >> >>>>>> <sec:cipherSuitesFilter> >> >> >> >> >>>>>> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS >> >> >> >> implementation ) >> >> >> >> >>>>>> uses default JVM truststore for checking certificates ? >> >> >> >> >>>>>> >> >> >> >> >>>>>> Thanks >> >> >> >> >>>>>> >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> Colm. >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >> >> >> >> >>>>>>> <[email protected]> >> >> >> >> >>>>>>> wrote: >> >> >> >> >>>>>>> >> >> >> >> >>>>>>>> Hello: >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to >> >> understand >> >> >> why >> >> >> >> my >> >> >> >> >>>>>>>> client works. >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL >> >> /TLS) >> >> >> >> >>>>>>>> This is my settings: >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >> >> >> >> >>>>>>>> resource="truststore.jks"/> >> >> >> >> >>>>>>>> </sec:keyManagers> >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks >> >> >> >> >>>>>>>> And it works fine. >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . >> >> >> godaddy.com) >> >> >> >> , >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate >> from >> >> >> godaddy >> >> >> >> >>>>>>>> Why does my client trust in the server certificate ? >> >> >> >> >>>>>>>> Is not performed some Certification Path Validation >> >> process ? >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>>> Thanks and regards >> >> >> >> >>>>>>>> >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> -- >> >> >> >> >>>>>>> Colm O hEigeartaigh >> >> >> >> >>>>>>> >> >> >> >> >>>>>>> Talend Community Coder >> >> >> >> >>>>>>> http://coders.talend.com >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> >> >> >> >> >>>>> -- >> >> >> >> >>>>> Colm O hEigeartaigh >> >> >> >> >>>>> >> >> >> >> >>>>> Talend Community Coder >> >> >> >> >>>>> http://coders.talend.com >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> -- >> >> >> >> >>> Sergey Beryozkin >> >> >> >> >>> >> >> >> >> >>> Talend Community Coders >> >> >> >> >>> http://coders.talend.com/ >> >> >> >> >>> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > Colm O hEigeartaigh >> >> >> > >> >> >> > Talend Community Coder >> >> >> > http://coders.talend.com >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > Colm O hEigeartaigh >> >> > >> >> > Talend Community Coder >> >> > http://coders.talend.com >> >> >> > >> > >> > >> > -- >> > Colm O hEigeartaigh >> > >> > Talend Community Coder >> > http://coders.talend.com >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
