You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Bernd <ec...@zusammenkunft.net> on 2016/03/21 14:21:21 UTC
TrustStrategy - is chain[0] always the server certificate in the chain?
Hello,
I am writing a TrustStrategy which is processing http.spki-pinning. I have
one strategy instance per fingerprint (and use it only for one host).
The isTrusted(chain, authType) method will return a CertificateException
when the PIN is wrong, and it will "return false" when the pin is correct
(defering all other checks to the system trust manager).
I wonder now, is it guranteed that chain[0] contains the server certificate
which is actually used for the handshake? The Javadoc only says "peer
certificate chain" with no further description what can be dependent upon.
In my special case the TrustStrategy is also executed before the
TrustManager, does this mean I do need to do some more checks to make sure
I actually verify the server certificate and not intermediate or excessive
certificates?
Using httpclient:4.5
like this:
HttpClientBuilder builder = HttpClients.custom();
builder.disableCookieManagement();
builder.disableAuthCaching();
builder.disableRedirectHandling();
TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93..");
SSLContext sslcontext =
SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build();
SSLConnectionSocketFactory sslsf = new
SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
builder.setSSLSocketFactory(sslsf);
CloseableHttpClient client = builder.build();
Gruss
Bernd
Re: TrustStrategy - is chain[0] always the server certificate in
the chain?
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2016-03-21 at 14:21 +0100, Bernd wrote:
> Hello,
>
> I am writing a TrustStrategy which is processing http.spki-pinning. I have
> one strategy instance per fingerprint (and use it only for one host).
>
> The isTrusted(chain, authType) method will return a CertificateException
> when the PIN is wrong, and it will "return false" when the pin is correct
> (defering all other checks to the system trust manager).
>
> I wonder now, is it guranteed that chain[0] contains the server certificate
> which is actually used for the handshake? The Javadoc only says "peer
> certificate chain" with no further description what can be dependent upon.
>
Bernd
I am afraid this is the wrong place to seek an authoritative answer to
this question. I believe that the first cert in the chain is the one
that uniquely identifies the peer in SSL handshake, but it is merely an
assumption.
Oleg
> In my special case the TrustStrategy is also executed before the
> TrustManager, does this mean I do need to do some more checks to make sure
> I actually verify the server certificate and not intermediate or excessive
> certificates?
>
> Using httpclient:4.5
>
> like this:
>
> HttpClientBuilder builder = HttpClients.custom();
> builder.disableCookieManagement();
> builder.disableAuthCaching();
> builder.disableRedirectHandling();
> TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93..");
> SSLContext sslcontext =
> SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build();
> SSLConnectionSocketFactory sslsf = new
> SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null,
> SSLConnectionSocketFactory.getDefaultHostnameVerifier());
> builder.setSSLSocketFactory(sslsf);
> CloseableHttpClient client = builder.build();
>
>
> Gruss
> Bernd
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org