> I wonder if it's possible to disable time checking in b) mode It's not possible, at least without doing a good bit of custom work.
Colm. On Mon, Mar 2, 2015 at 3:32 PM, Jose María Zaragoza <[email protected]> wrote: > 2015-02-27 14:58 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > > Why not write a test-case for this scenario? > > Done. > > In b) mode ( i.e , only the issuer of server certificate is > stored in the truststore ) , when server certificated is expired , > then client request throws an exception like : > > Caused by: javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateNotYetValidException: > NotBefore: Mon Mar 02 13:21:48 CET 2015 > > In a) mode ( i.e , the server certificate is stored in the > truststore ) , when server certificated is expired , then client > request doesn't throw any exception > > > I wonder if it's possible to disable time checking in b) mode > > > > Thanks > > > > > > > > Colm. > > > > On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza < > [email protected]> > > wrote: > > > >> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > >> >> But , what is a CA certificate chain for ? I would like don't have to > >> >> verify the trustability of a certificate manually before importing > it. > >> > > >> > When you need to verify trust in a certificate, CXF essentially asks > your > >> > truststore two questions: > >> > > >> > a) Is this certificate stored in the truststore (direct trust) > >> > b) Is the issuer of this certificate stored in the truststore, and is > the > >> > cert chain correct, etc. > >> > >> > >> > >> Sorry ( again ), but one question more: > >> > >> what if I store the trusted CA certificates in ( ie, b mode ) but > >> server certificate has expired ? > >> > >> In a) mode , I know that it is deemed to be trusted , but I'm not sure > >> in b) mode > >> > >> Thanks > >> > >> > >> > >> > > >> > Obviously directly storing certificates in the truststore does not > scale. > >> > It might be useful for some scenarios though. The normal way of doing > >> > things is to just store your trusted CA certs in there. > >> > > >> > Colm. > >> > > >> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza < > >> [email protected]> > >> > wrote: > >> > > >> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <[email protected] > >: > >> >> > What is the concept of a "truststore" other than a collection of > >> trusted > >> >> > certificates? If you don't trust the certificate then don't put it > in > >> >> > there... :-) > >> >> > >> >> Yes, it's true. :-) > >> >> But , what is a CA certificate chain for ? I would like don't have to > >> >> verify the trustability of a certificate manually before importing > it. > >> >> > >> >> Regards > >> >> > >> >> > >> >> > >> >> > > >> >> > Colm. > >> >> > > >> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza < > >> >> [email protected]> > >> >> > wrote: > >> >> > > >> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh < > [email protected] > >> >: > >> >> >> > No, if the certificate itself is in the truststore then it is > >> deemed > >> >> to > >> >> >> be > >> >> >> > trusted - the CA certificate does not need to be in there as > well. > >> >> >> > > >> >> >> > Colm. > >> >> >> > >> >> >> > >> >> >> Thanks. > >> >> >> Is this the standard behaviour in JSSE ? > >> >> >> I think that it should be validated all CA in the chain, to be > sure > >> >> >> the certificate is signed by trusted CA > >> >> >> > >> >> >> > >> >> >> > > >> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza < > >> >> >> [email protected]> > >> >> >> > wrote: > >> >> >> > > >> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh < > >> [email protected] > >> >> >: > >> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on > >> >> >> >> > https://www.google.com. It works fine when you don't specify > >> any > >> >> >> >> > TLSClientParameters as expected, as it picks up the default > >> >> cacerts. > >> >> >> >> > However, when I added the following it fails (also as > expected): > >> >> >> >> > > >> >> >> >> > <http:conduit name="https://.*";> > >> >> >> >> > <http:tlsClientParameters disableCNCheck="true"> > >> >> >> >> > <sec:trustManagers> > >> >> >> >> > <sec:keyStore type="jks" password="cspass" > >> >> >> >> > resource="clientstore.jks"/> > >> >> >> >> > </sec:trustManagers> > >> >> >> >> > </http:tlsClientParameters> > >> >> >> >> > </http:conduit> > >> >> >> >> > > >> >> >> >> > Colm. > >> >> >> >> > >> >> >> >> OK. That's right. > >> >> >> >> But , if you import Google certificate into clientstore.jks but > >> you > >> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ), > >> >> should > >> >> >> >> it fail ? This is my question > >> >> >> >> I don't know what is the validation path that JSSE follows > >> >> >> >> > >> >> >> >> Regards > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > > >> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < > >> >> >> >> [email protected]> > >> >> >> >> > wrote: > >> >> >> >> > > >> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin < > >> [email protected] > >> >> >: > >> >> >> >> >> > What I meant is that you do use a self signed cert to > sign a > >> >> >> >> previously > >> >> >> >> >> > generated certificate but do not import this self signed > cert > >> >> into > >> >> >> the > >> >> >> >> >> > truststore which would emulate the same situation you have > >> now > >> >> >> without > >> >> >> >> >> > having to provide a test where well known providers sign a > >> given > >> >> >> >> server > >> >> >> >> >> > certificate. > >> >> >> >> >> > >> >> >> >> >> OK > >> >> >> >> >> I'll try it > >> >> >> >> >> > >> >> >> >> >> Thanks > >> >> >> >> >> > >> >> >> >> >> > > >> >> >> >> >> > Sergey > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote: > >> >> >> >> >> >> > >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin < > >> >> [email protected] > >> >> >> >: > >> >> >> >> >> >>> > >> >> >> >> >> >>> Hi > >> >> >> >> >> >>> > >> >> >> >> >> >>> I guess this is what Colm is implying, that the actual > >> problem > >> >> >> that > >> >> >> >> it > >> >> >> >> >> >>> does > >> >> >> >> >> >>> work. > >> >> >> >> >> >>> Can it be reproduced by a given server certificate with > a > >> >> >> >> self-signed > >> >> >> >> >> >>> certificate validating it ? > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to > >> reproduce > >> >> it > >> >> >> . > >> >> >> >> >> >> > >> >> >> >> >> >> With a self signed certificate , the behaviour also is > the > >> same > >> >> >> >> >> >> But that makes sense ( for me ) , because your CA is > >> yourself, > >> >> so > >> >> >> you > >> >> >> >> >> >> could trust on it ( if the certificate is imported into > your > >> >> >> keystore > >> >> >> >> >> >> ) > >> >> >> >> >> >> > >> >> >> >> >> >> Regards > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >>> > >> >> >> >> >> >>> Cheers, Sergey > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < > >> >> >> >> [email protected]>: > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> It does, but only if no truststore has been > configured in > >> >> CXF. > >> >> >> Do > >> >> >> >> you > >> >> >> >> >> >>>>> have a > >> >> >> >> >> >>>>> test-case that reproduces this problem? > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> Thanks, not really > >> >> >> >> >> >>>> Indeed, it's not a problem because my client works > fine , > >> >> but I > >> >> >> >> cannot > >> >> >> >> >> >>>> understand why. I only imported the server > certificate, no > >> >> the > >> >> >> >> others > >> >> >> >> >> >>>> in chain > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> As I don't know how the underlying certificate > validation > >> is > >> >> >> >> performed > >> >> >> >> >> >>>> , I don't know if this behaviour is caused by default > >> >> settings > >> >> >> in > >> >> >> >> CXF > >> >> >> >> >> >>>> or another reason. > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> Regards > >> >> >> >> >> >>>> > >> >> >> >> >> >>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> Colm. > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza > >> >> >> >> >> >>>>> <[email protected]> > >> >> >> >> >> >>>>> wrote: > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < > >> >> >> >> [email protected] > >> >> >> >> >> >: > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> You are using "keyManagers" instead of > "trustManagers" > >> in > >> >> the > >> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need > to > >> >> >> specify a > >> >> >> >> key > >> >> >> >> >> >>>>>>> for > >> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to > >> verify > >> >> >> trust > >> >> >> >> in > >> >> >> >> >> the > >> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers" > >> >> configuration > >> >> >> >> here, I > >> >> >> >> >> >>>>>>> guess > >> >> >> >> >> >>>>>>> it is falling back on the default JVM settings > >> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore) > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> <sec:trustManagers> > >> >> >> >> >> >>>>>> <sec:keyStore type="JKS" > >> password="*******" > >> >> >> >> >> >>>>>> resource="truststore.jks"/> > >> >> >> >> >> >>>>>> </sec:trustManagers> > >> >> >> >> >> >>>>>> <sec:cipherSuitesFilter> > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS > >> >> >> >> >> implementation ) > >> >> >> >> >> >>>>>> uses default JVM truststore for checking > certificates ? > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>> Thanks > >> >> >> >> >> >>>>>> > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> Colm. > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María > Zaragoza > >> >> >> >> >> >>>>>>> <[email protected]> > >> >> >> >> >> >>>>>>> wrote: > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>>> Hello: > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to > >> >> >> understand > >> >> >> >> why > >> >> >> >> >> my > >> >> >> >> >> >>>>>>>> client works. > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by > HTTPS > >> (SSL > >> >> >> /TLS) > >> >> >> >> >> >>>>>>>> This is my settings: > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*";> > >> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters> > >> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> > >> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" > password="xxxxxxxx" > >> >> >> >> >> >>>>>>>> resource="truststore.jks"/> > >> >> >> >> >> >>>>>>>> </sec:keyManagers> > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>>> I've imported SSL server certificate into > >> truststore.jks > >> >> >> >> >> >>>>>>>> And it works fine. > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( > from . > >> >> >> >> godaddy.com) > >> >> >> >> >> , > >> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any > certificate > >> >> from > >> >> >> >> godaddy > >> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate > ? > >> >> >> >> >> >>>>>>>> Is not performed some Certification Path > Validation > >> >> >> process ? > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>>> Thanks and regards > >> >> >> >> >> >>>>>>>> > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> -- > >> >> >> >> >> >>>>>>> Colm O hEigeartaigh > >> >> >> >> >> >>>>>>> > >> >> >> >> >> >>>>>>> Talend Community Coder > >> >> >> >> >> >>>>>>> http://coders.talend.com > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> -- > >> >> >> >> >> >>>>> Colm O hEigeartaigh > >> >> >> >> >> >>>>> > >> >> >> >> >> >>>>> Talend Community Coder > >> >> >> >> >> >>>>> http://coders.talend.com > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> -- > >> >> >> >> >> >>> Sergey Beryozkin > >> >> >> >> >> >>> > >> >> >> >> >> >>> Talend Community Coders > >> >> >> >> >> >>> http://coders.talend.com/ > >> >> >> >> >> >>> > >> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > Colm O hEigeartaigh > >> >> >> >> > > >> >> >> >> > Talend Community Coder > >> >> >> >> > http://coders.talend.com > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > -- > >> >> >> > Colm O hEigeartaigh > >> >> >> > > >> >> >> > Talend Community Coder > >> >> >> > http://coders.talend.com > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Colm O hEigeartaigh > >> >> > > >> >> > Talend Community Coder > >> >> > http://coders.talend.com > >> >> > >> > > >> > > >> > > >> > -- > >> > Colm O hEigeartaigh > >> > > >> > Talend Community Coder > >> > http://coders.talend.com > >> > >> -- > >> Colm O hEigeartaigh > >> > >> Talend Community Coder > >> http://coders.talend.com > >> > >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
