Re: SSLFilter: host name verification

Thu, 09 Jul 2009 15:39:16 -0700 

If you need to verify the CN, then you may want to look at the
BouncyCastle (http://www.bouncycastle.org) library to extract the CN
field from the X509Certificate (which you can pull from the SSLSession).
You would also limit the trusted root CAs that your application will allow. 

Shaun Senecal wrote:

It looks like MINA should be exposing a way to add a
HandshakeCompletedListener to the SSLSocket.  Using an extended TrustManager
gives you no way of getting access to the underlying socket (that I can
see), so you cannot verify the host since you do no know where the client
was connecting to.

I checked on the Sun JSSE forums, and it looks like this is the expected way
to implement this behaviour (
http://forums.sun.com/thread.jspa?threadID=5396352).  Does anyone know of a
way that this can be implemented in MINA 1.1.7?




On Wed, Jul 8, 2009 at 7:35 PM, Shaun Senecal <[email protected]>wrote:


Ya, I considered doing this as well, but I thought there had to be a
"default" way of doing this.  It seems like this is something that every
X509TrustManager would want to do.  Not sure why Sun's implementation
wouldnt do it.



On Wed, Jul 8, 2009 at 6:18 PM, Viktor Balazs <[email protected]>wrote:


Hi,

I'm using an own implementation of X509TrustManager interface.

When I create a new SSLContext to Mina's SslFilter I can use my trust
manager:

       public SslFilter createClientFilter() throws Exception {
               SslFilter result = null;

               SSLContext sslContext = SSLContext.getInstance("TLS");
               sslContext.init(null, new TrustManager[] { new
MyTrustManagerImpl() }, null);

               result = new SslFilter(sslContext);
               result.setUseClientMode(true);

               return result;
       }


2009/7/8 Shaun Senecal <[email protected]>:

I am using MINA 1.1.7 to implement a custom service using TLS and a

custom

protocol.  I have everything working in that communication is encrypted,
however, there doesnt seem to be any host name verification.  ie, the

URL I

am using to connect to the server does NOT match the CN of the

certificate

that the server returns and no exception is thrown.  Is there a way to
enable this verification?  Is this something I need to implement myself?

It looks like JSSE does not provide this functionality at the SSL level,

but

provides it at the HttpsURLConnection level.  I guess this means I need

to

implement it myself, but I dont see where I can inject this verification
code since I need access to the server certificate as well as the URL.

 Any

ideas?





























					Reply via email to