2015-02-27 14:58 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > Why not write a test-case for this scenario?
Done. In b) mode ( i.e , only the issuer of server certificate is stored in the truststore ) , when server certificated is expired , then client request throws an exception like : Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateNotYetValidException: NotBefore: Mon Mar 02 13:21:48 CET 2015 In a) mode ( i.e , the server certificate is stored in the truststore ) , when server certificated is expired , then client request doesn't throw any exception I wonder if it's possible to disable time checking in b) mode Thanks > > Colm. > > On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <[email protected]> > wrote: > >> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> >> But , what is a CA certificate chain for ? I would like don't have to >> >> verify the trustability of a certificate manually before importing it. >> > >> > When you need to verify trust in a certificate, CXF essentially asks your >> > truststore two questions: >> > >> > a) Is this certificate stored in the truststore (direct trust) >> > b) Is the issuer of this certificate stored in the truststore, and is the >> > cert chain correct, etc. >> >> >> >> Sorry ( again ), but one question more: >> >> what if I store the trusted CA certificates in ( ie, b mode ) but >> server certificate has expired ? >> >> In a) mode , I know that it is deemed to be trusted , but I'm not sure >> in b) mode >> >> Thanks >> >> >> >> > >> > Obviously directly storing certificates in the truststore does not scale. >> > It might be useful for some scenarios though. The normal way of doing >> > things is to just store your trusted CA certs in there. >> > >> > Colm. >> > >> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza < >> [email protected]> >> > wrote: >> > >> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> >> > What is the concept of a "truststore" other than a collection of >> trusted >> >> > certificates? If you don't trust the certificate then don't put it in >> >> > there... :-) >> >> >> >> Yes, it's true. :-) >> >> But , what is a CA certificate chain for ? I would like don't have to >> >> verify the trustability of a certificate manually before importing it. >> >> >> >> Regards >> >> >> >> >> >> >> >> > >> >> > Colm. >> >> > >> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza < >> >> [email protected]> >> >> > wrote: >> >> > >> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <[email protected] >> >: >> >> >> > No, if the certificate itself is in the truststore then it is >> deemed >> >> to >> >> >> be >> >> >> > trusted - the CA certificate does not need to be in there as well. >> >> >> > >> >> >> > Colm. >> >> >> >> >> >> >> >> >> Thanks. >> >> >> Is this the standard behaviour in JSSE ? >> >> >> I think that it should be validated all CA in the chain, to be sure >> >> >> the certificate is signed by trusted CA >> >> >> >> >> >> >> >> >> > >> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < >> >> >> [email protected]> >> >> >> > wrote: >> >> >> > >> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh < >> [email protected] >> >> >: >> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on >> >> >> >> > https://www.google.com. It works fine when you don't specify >> any >> >> >> >> > TLSClientParameters as expected, as it picks up the default >> >> cacerts. >> >> >> >> > However, when I added the following it fails (also as expected): >> >> >> >> > >> >> >> >> > <http:conduit name="https://.*";> >> >> >> >> > <http:tlsClientParameters disableCNCheck="true"> >> >> >> >> > <sec:trustManagers> >> >> >> >> > <sec:keyStore type="jks" password="cspass" >> >> >> >> > resource="clientstore.jks"/> >> >> >> >> > </sec:trustManagers> >> >> >> >> > </http:tlsClientParameters> >> >> >> >> > </http:conduit> >> >> >> >> > >> >> >> >> > Colm. >> >> >> >> >> >> >> >> OK. That's right. >> >> >> >> But , if you import Google certificate into clientstore.jks but >> you >> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ), >> >> should >> >> >> >> it fail ? This is my question >> >> >> >> I don't know what is the validation path that JSSE follows >> >> >> >> >> >> >> >> Regards >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < >> >> >> >> [email protected]> >> >> >> >> > wrote: >> >> >> >> > >> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin < >> [email protected] >> >> >: >> >> >> >> >> > What I meant is that you do use a self signed cert to sign a >> >> >> >> previously >> >> >> >> >> > generated certificate but do not import this self signed cert >> >> into >> >> >> the >> >> >> >> >> > truststore which would emulate the same situation you have >> now >> >> >> without >> >> >> >> >> > having to provide a test where well known providers sign a >> given >> >> >> >> server >> >> >> >> >> > certificate. >> >> >> >> >> >> >> >> >> >> OK >> >> >> >> >> I'll try it >> >> >> >> >> >> >> >> >> >> Thanks >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> > Sergey >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: >> >> >> >> >> >> >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin < >> >> [email protected] >> >> >> >: >> >> >> >> >> >>> >> >> >> >> >> >>> Hi >> >> >> >> >> >>> >> >> >> >> >> >>> I guess this is what Colm is implying, that the actual >> problem >> >> >> that >> >> >> >> it >> >> >> >> >> >>> does >> >> >> >> >> >>> work. >> >> >> >> >> >>> Can it be reproduced by a given server certificate with a >> >> >> >> self-signed >> >> >> >> >> >>> certificate validating it ? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to >> reproduce >> >> it >> >> >> . >> >> >> >> >> >> >> >> >> >> >> >> With a self signed certificate , the behaviour also is the >> same >> >> >> >> >> >> But that makes sense ( for me ) , because your CA is >> yourself, >> >> so >> >> >> you >> >> >> >> >> >> could trust on it ( if the certificate is imported into your >> >> >> keystore >> >> >> >> >> >> ) >> >> >> >> >> >> >> >> >> >> >> >> Regards >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>> >> >> >> >> >> >>> Cheers, Sergey >> >> >> >> >> >>> >> >> >> >> >> >>> >> >> >> >> >> >>> >> >> >> >> >> >>> >> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: >> >> >> >> >> >>>> >> >> >> >> >> >>>> >> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < >> >> >> >> [email protected]>: >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> It does, but only if no truststore has been configured in >> >> CXF. >> >> >> Do >> >> >> >> you >> >> >> >> >> >>>>> have a >> >> >> >> >> >>>>> test-case that reproduces this problem? >> >> >> >> >> >>>> >> >> >> >> >> >>>> >> >> >> >> >> >>>> >> >> >> >> >> >>>> >> >> >> >> >> >>>> Thanks, not really >> >> >> >> >> >>>> Indeed, it's not a problem because my client works fine , >> >> but I >> >> >> >> cannot >> >> >> >> >> >>>> understand why. I only imported the server certificate, no >> >> the >> >> >> >> others >> >> >> >> >> >>>> in chain >> >> >> >> >> >>>> >> >> >> >> >> >>>> As I don't know how the underlying certificate validation >> is >> >> >> >> performed >> >> >> >> >> >>>> , I don't know if this behaviour is caused by default >> >> settings >> >> >> in >> >> >> >> CXF >> >> >> >> >> >>>> or another reason. >> >> >> >> >> >>>> >> >> >> >> >> >>>> Regards >> >> >> >> >> >>>> >> >> >> >> >> >>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> Colm. >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >> >> >> >> >> >>>>> <[email protected]> >> >> >> >> >> >>>>> wrote: >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < >> >> >> >> [email protected] >> >> >> >> >> >: >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" >> in >> >> the >> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to >> >> >> specify a >> >> >> >> key >> >> >> >> >> >>>>>>> for >> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to >> verify >> >> >> trust >> >> >> >> in >> >> >> >> >> the >> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers" >> >> configuration >> >> >> >> here, I >> >> >> >> >> >>>>>>> guess >> >> >> >> >> >>>>>>> it is falling back on the default JVM settings >> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore) >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> <sec:trustManagers> >> >> >> >> >> >>>>>> <sec:keyStore type="JKS" >> password="*******" >> >> >> >> >> >>>>>> resource="truststore.jks"/> >> >> >> >> >> >>>>>> </sec:trustManagers> >> >> >> >> >> >>>>>> <sec:cipherSuitesFilter> >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS >> >> >> >> >> implementation ) >> >> >> >> >> >>>>>> uses default JVM truststore for checking certificates ? >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>> Thanks >> >> >> >> >> >>>>>> >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> Colm. >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >> >> >> >> >> >>>>>>> <[email protected]> >> >> >> >> >> >>>>>>> wrote: >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>>> Hello: >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to >> >> >> understand >> >> >> >> why >> >> >> >> >> my >> >> >> >> >> >>>>>>>> client works. >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS >> (SSL >> >> >> /TLS) >> >> >> >> >> >>>>>>>> This is my settings: >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> >> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters> >> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >> >> >> >> >> >>>>>>>> resource="truststore.jks"/> >> >> >> >> >> >>>>>>>> </sec:keyManagers> >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> I've imported SSL server certificate into >> truststore.jks >> >> >> >> >> >>>>>>>> And it works fine. >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from . >> >> >> >> godaddy.com) >> >> >> >> >> , >> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate >> >> from >> >> >> >> godaddy >> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate ? >> >> >> >> >> >>>>>>>> Is not performed some Certification Path Validation >> >> >> process ? >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> Thanks and regards >> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> -- >> >> >> >> >> >>>>>>> Colm O hEigeartaigh >> >> >> >> >> >>>>>>> >> >> >> >> >> >>>>>>> Talend Community Coder >> >> >> >> >> >>>>>>> http://coders.talend.com >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> -- >> >> >> >> >> >>>>> Colm O hEigeartaigh >> >> >> >> >> >>>>> >> >> >> >> >> >>>>> Talend Community Coder >> >> >> >> >> >>>>> http://coders.talend.com >> >> >> >> >> >>> >> >> >> >> >> >>> >> >> >> >> >> >>> >> >> >> >> >> >>> >> >> >> >> >> >>> -- >> >> >> >> >> >>> Sergey Beryozkin >> >> >> >> >> >>> >> >> >> >> >> >>> Talend Community Coders >> >> >> >> >> >>> http://coders.talend.com/ >> >> >> >> >> >>> >> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > Colm O hEigeartaigh >> >> >> >> > >> >> >> >> > Talend Community Coder >> >> >> >> > http://coders.talend.com >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > Colm O hEigeartaigh >> >> >> > >> >> >> > Talend Community Coder >> >> >> > http://coders.talend.com >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > Colm O hEigeartaigh >> >> > >> >> > Talend Community Coder >> >> > http://coders.talend.com >> >> >> > >> > >> > >> > -- >> > Colm O hEigeartaigh >> > >> > Talend Community Coder >> > http://coders.talend.com >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >>
