Why not write a test-case for this scenario? Colm.
On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <[email protected]> wrote: > 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > >> But , what is a CA certificate chain for ? I would like don't have to > >> verify the trustability of a certificate manually before importing it. > > > > When you need to verify trust in a certificate, CXF essentially asks your > > truststore two questions: > > > > a) Is this certificate stored in the truststore (direct trust) > > b) Is the issuer of this certificate stored in the truststore, and is the > > cert chain correct, etc. > > > > Sorry ( again ), but one question more: > > what if I store the trusted CA certificates in ( ie, b mode ) but > server certificate has expired ? > > In a) mode , I know that it is deemed to be trusted , but I'm not sure > in b) mode > > Thanks > > > > > > > Obviously directly storing certificates in the truststore does not scale. > > It might be useful for some scenarios though. The normal way of doing > > things is to just store your trusted CA certs in there. > > > > Colm. > > > > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza < > [email protected]> > > wrote: > > > >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > >> > What is the concept of a "truststore" other than a collection of > trusted > >> > certificates? If you don't trust the certificate then don't put it in > >> > there... :-) > >> > >> Yes, it's true. :-) > >> But , what is a CA certificate chain for ? I would like don't have to > >> verify the trustability of a certificate manually before importing it. > >> > >> Regards > >> > >> > >> > >> > > >> > Colm. > >> > > >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza < > >> [email protected]> > >> > wrote: > >> > > >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected] > >: > >> >> > No, if the certificate itself is in the truststore then it is > deemed > >> to > >> >> be > >> >> > trusted - the CA certificate does not need to be in there as well. > >> >> > > >> >> > Colm. > >> >> > >> >> > >> >> Thanks. > >> >> Is this the standard behaviour in JSSE ? > >> >> I think that it should be validated all CA in the chain, to be sure > >> >> the certificate is signed by trusted CA > >> >> > >> >> > >> >> > > >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < > >> >> [email protected]> > >> >> > wrote: > >> >> > > >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh < > [email protected] > >> >: > >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on > >> >> >> > https://www.google.com. It works fine when you don't specify > any > >> >> >> > TLSClientParameters as expected, as it picks up the default > >> cacerts. > >> >> >> > However, when I added the following it fails (also as expected): > >> >> >> > > >> >> >> > <http:conduit name="https://.*";> > >> >> >> > <http:tlsClientParameters disableCNCheck="true"> > >> >> >> > <sec:trustManagers> > >> >> >> > <sec:keyStore type="jks" password="cspass" > >> >> >> > resource="clientstore.jks"/> > >> >> >> > </sec:trustManagers> > >> >> >> > </http:tlsClientParameters> > >> >> >> > </http:conduit> > >> >> >> > > >> >> >> > Colm. > >> >> >> > >> >> >> OK. That's right. > >> >> >> But , if you import Google certificate into clientstore.jks but > you > >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ), > >> should > >> >> >> it fail ? This is my question > >> >> >> I don't know what is the validation path that JSSE follows > >> >> >> > >> >> >> Regards > >> >> >> > >> >> >> > >> >> >> > >> >> >> > > >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < > >> >> >> [email protected]> > >> >> >> > wrote: > >> >> >> > > >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin < > [email protected] > >> >: > >> >> >> >> > What I meant is that you do use a self signed cert to sign a > >> >> >> previously > >> >> >> >> > generated certificate but do not import this self signed cert > >> into > >> >> the > >> >> >> >> > truststore which would emulate the same situation you have > now > >> >> without > >> >> >> >> > having to provide a test where well known providers sign a > given > >> >> >> server > >> >> >> >> > certificate. > >> >> >> >> > >> >> >> >> OK > >> >> >> >> I'll try it > >> >> >> >> > >> >> >> >> Thanks > >> >> >> >> > >> >> >> >> > > >> >> >> >> > Sergey > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: > >> >> >> >> >> > >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin < > >> [email protected] > >> >> >: > >> >> >> >> >>> > >> >> >> >> >>> Hi > >> >> >> >> >>> > >> >> >> >> >>> I guess this is what Colm is implying, that the actual > problem > >> >> that > >> >> >> it > >> >> >> >> >>> does > >> >> >> >> >>> work. > >> >> >> >> >>> Can it be reproduced by a given server certificate with a > >> >> >> self-signed > >> >> >> >> >>> certificate validating it ? > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> Well, I don't have a testcase right now. I'll try to > reproduce > >> it > >> >> . > >> >> >> >> >> > >> >> >> >> >> With a self signed certificate , the behaviour also is the > same > >> >> >> >> >> But that makes sense ( for me ) , because your CA is > yourself, > >> so > >> >> you > >> >> >> >> >> could trust on it ( if the certificate is imported into your > >> >> keystore > >> >> >> >> >> ) > >> >> >> >> >> > >> >> >> >> >> Regards > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >>> > >> >> >> >> >>> Cheers, Sergey > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: > >> >> >> >> >>>> > >> >> >> >> >>>> > >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < > >> >> >> [email protected]>: > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> It does, but only if no truststore has been configured in > >> CXF. > >> >> Do > >> >> >> you > >> >> >> >> >>>>> have a > >> >> >> >> >>>>> test-case that reproduces this problem? > >> >> >> >> >>>> > >> >> >> >> >>>> > >> >> >> >> >>>> > >> >> >> >> >>>> > >> >> >> >> >>>> Thanks, not really > >> >> >> >> >>>> Indeed, it's not a problem because my client works fine , > >> but I > >> >> >> cannot > >> >> >> >> >>>> understand why. I only imported the server certificate, no > >> the > >> >> >> others > >> >> >> >> >>>> in chain > >> >> >> >> >>>> > >> >> >> >> >>>> As I don't know how the underlying certificate validation > is > >> >> >> performed > >> >> >> >> >>>> , I don't know if this behaviour is caused by default > >> settings > >> >> in > >> >> >> CXF > >> >> >> >> >>>> or another reason. > >> >> >> >> >>>> > >> >> >> >> >>>> Regards > >> >> >> >> >>>> > >> >> >> >> >>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> Colm. > >> >> >> >> >>>>> > >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza > >> >> >> >> >>>>> <[email protected]> > >> >> >> >> >>>>> wrote: > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < > >> >> >> [email protected] > >> >> >> >> >: > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" > in > >> the > >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to > >> >> specify a > >> >> >> key > >> >> >> >> >>>>>>> for > >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to > verify > >> >> trust > >> >> >> in > >> >> >> >> the > >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers" > >> configuration > >> >> >> here, I > >> >> >> >> >>>>>>> guess > >> >> >> >> >>>>>>> it is falling back on the default JVM settings > >> >> >> >> >>>>>>> (javax.net.ssl.trustStore) > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> <sec:trustManagers> > >> >> >> >> >>>>>> <sec:keyStore type="JKS" > password="*******" > >> >> >> >> >>>>>> resource="truststore.jks"/> > >> >> >> >> >>>>>> </sec:trustManagers> > >> >> >> >> >>>>>> <sec:cipherSuitesFilter> > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS > >> >> >> >> implementation ) > >> >> >> >> >>>>>> uses default JVM truststore for checking certificates ? > >> >> >> >> >>>>>> > >> >> >> >> >>>>>> Thanks > >> >> >> >> >>>>>> > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> Colm. > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza > >> >> >> >> >>>>>>> <[email protected]> > >> >> >> >> >>>>>>> wrote: > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>>> Hello: > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to > >> >> understand > >> >> >> why > >> >> >> >> my > >> >> >> >> >>>>>>>> client works. > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS > (SSL > >> >> /TLS) > >> >> >> >> >>>>>>>> This is my settings: > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> > >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters> > >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> > >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" > >> >> >> >> >>>>>>>> resource="truststore.jks"/> > >> >> >> >> >>>>>>>> </sec:keyManagers> > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>>> I've imported SSL server certificate into > truststore.jks > >> >> >> >> >>>>>>>> And it works fine. > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . > >> >> >> godaddy.com) > >> >> >> >> , > >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate > >> from > >> >> >> godaddy > >> >> >> >> >>>>>>>> Why does my client trust in the server certificate ? > >> >> >> >> >>>>>>>> Is not performed some Certification Path Validation > >> >> process ? > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>>> Thanks and regards > >> >> >> >> >>>>>>>> > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> -- > >> >> >> >> >>>>>>> Colm O hEigeartaigh > >> >> >> >> >>>>>>> > >> >> >> >> >>>>>>> Talend Community Coder > >> >> >> >> >>>>>>> http://coders.talend.com > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> > >> >> >> >> >>>>> -- > >> >> >> >> >>>>> Colm O hEigeartaigh > >> >> >> >> >>>>> > >> >> >> >> >>>>> Talend Community Coder > >> >> >> >> >>>>> http://coders.talend.com > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> -- > >> >> >> >> >>> Sergey Beryozkin > >> >> >> >> >>> > >> >> >> >> >>> Talend Community Coders > >> >> >> >> >>> http://coders.talend.com/ > >> >> >> >> >>> > >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > -- > >> >> >> > Colm O hEigeartaigh > >> >> >> > > >> >> >> > Talend Community Coder > >> >> >> > http://coders.talend.com > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Colm O hEigeartaigh > >> >> > > >> >> > Talend Community Coder > >> >> > http://coders.talend.com > >> >> > >> > > >> > > >> > > >> > -- > >> > Colm O hEigeartaigh > >> > > >> > Talend Community Coder > >> > http://coders.talend.com > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > >
