You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jose María Zaragoza <de...@gmail.com> on 2015/02/26 12:32:45 UTC
Check SSL server certificate
Hello:
Maybe this question a bit off topic , but I try to understand why my
client works.
I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
This is my settings:
<http-conf:conduit name="https://.*">
<http-conf:tlsClientParameters>
<sec:keyManagers keyPassword="xxxxxxxx">
<sec:keyStore type="JKS" password="xxxxxxxx" resource="truststore.jks"/>
</sec:keyManagers>
I've imported SSL server certificate into truststore.jks
And it works fine.
But this certificate is signed by a CA chain ( from .godaddy.com) ,
and ( I think ) I don't have imported any certificate from godaddy
Why does my client trust in the server certificate ?
Is not performed some Certification Path Validation process ?
Thanks and regards
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
> I wonder if it's possible to disable time checking in b) mode
It's not possible, at least without doing a good bit of custom work.
Colm.
On Mon, Mar 2, 2015 at 3:32 PM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-27 14:58 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> > Why not write a test-case for this scenario?
>
> Done.
>
> In b) mode ( i.e , only the issuer of server certificate is
> stored in the truststore ) , when server certificated is expired ,
> then client request throws an exception like :
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateNotYetValidException:
> NotBefore: Mon Mar 02 13:21:48 CET 2015
>
> In a) mode ( i.e , the server certificate is stored in the
> truststore ) , when server certificated is expired , then client
> request doesn't throw any exception
>
>
> I wonder if it's possible to disable time checking in b) mode
>
>
>
> Thanks
>
>
>
>
> >
> > Colm.
> >
> > On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >> >> But , what is a CA certificate chain for ? I would like don't have to
> >> >> verify the trustability of a certificate manually before importing
> it.
> >> >
> >> > When you need to verify trust in a certificate, CXF essentially asks
> your
> >> > truststore two questions:
> >> >
> >> > a) Is this certificate stored in the truststore (direct trust)
> >> > b) Is the issuer of this certificate stored in the truststore, and is
> the
> >> > cert chain correct, etc.
> >>
> >>
> >>
> >> Sorry ( again ), but one question more:
> >>
> >> what if I store the trusted CA certificates in ( ie, b mode ) but
> >> server certificate has expired ?
> >>
> >> In a) mode , I know that it is deemed to be trusted , but I'm not sure
> >> in b) mode
> >>
> >> Thanks
> >>
> >>
> >>
> >> >
> >> > Obviously directly storing certificates in the truststore does not
> scale.
> >> > It might be useful for some scenarios though. The normal way of doing
> >> > things is to just store your trusted CA certs in there.
> >> >
> >> > Colm.
> >> >
> >> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <
> >> demablogia@gmail.com>
> >> > wrote:
> >> >
> >> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
> >:
> >> >> > What is the concept of a "truststore" other than a collection of
> >> trusted
> >> >> > certificates? If you don't trust the certificate then don't put it
> in
> >> >> > there... :-)
> >> >>
> >> >> Yes, it's true. :-)
> >> >> But , what is a CA certificate chain for ? I would like don't have to
> >> >> verify the trustability of a certificate manually before importing
> it.
> >> >>
> >> >> Regards
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > Colm.
> >> >> >
> >> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
> >> >> demablogia@gmail.com>
> >> >> > wrote:
> >> >> >
> >> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <
> coheigea@apache.org
> >> >:
> >> >> >> > No, if the certificate itself is in the truststore then it is
> >> deemed
> >> >> to
> >> >> >> be
> >> >> >> > trusted - the CA certificate does not need to be in there as
> well.
> >> >> >> >
> >> >> >> > Colm.
> >> >> >>
> >> >> >>
> >> >> >> Thanks.
> >> >> >> Is this the standard behaviour in JSSE ?
> >> >> >> I think that it should be validated all CA in the chain, to be
> sure
> >> >> >> the certificate is signed by trusted CA
> >> >> >>
> >> >> >>
> >> >> >> >
> >> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
> >> >> >> demablogia@gmail.com>
> >> >> >> > wrote:
> >> >> >> >
> >> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <
> >> coheigea@apache.org
> >> >> >:
> >> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
> >> >> >> >> > https://www.google.com. It works fine when you don't specify
> >> any
> >> >> >> >> > TLSClientParameters as expected, as it picks up the default
> >> >> cacerts.
> >> >> >> >> > However, when I added the following it fails (also as
> expected):
> >> >> >> >> >
> >> >> >> >> > <http:conduit name="https://.*">
> >> >> >> >> > <http:tlsClientParameters disableCNCheck="true">
> >> >> >> >> > <sec:trustManagers>
> >> >> >> >> > <sec:keyStore type="jks" password="cspass"
> >> >> >> >> > resource="clientstore.jks"/>
> >> >> >> >> > </sec:trustManagers>
> >> >> >> >> > </http:tlsClientParameters>
> >> >> >> >> > </http:conduit>
> >> >> >> >> >
> >> >> >> >> > Colm.
> >> >> >> >>
> >> >> >> >> OK. That's right.
> >> >> >> >> But , if you import Google certificate into clientstore.jks but
> >> you
> >> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
> >> >> should
> >> >> >> >> it fail ? This is my question
> >> >> >> >> I don't know what is the validation path that JSSE follows
> >> >> >> >>
> >> >> >> >> Regards
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
> >> >> >> >> demablogia@gmail.com>
> >> >> >> >> > wrote:
> >> >> >> >> >
> >> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <
> >> sberyozkin@gmail.com
> >> >> >:
> >> >> >> >> >> > What I meant is that you do use a self signed cert to
> sign a
> >> >> >> >> previously
> >> >> >> >> >> > generated certificate but do not import this self signed
> cert
> >> >> into
> >> >> >> the
> >> >> >> >> >> > truststore which would emulate the same situation you have
> >> now
> >> >> >> without
> >> >> >> >> >> > having to provide a test where well known providers sign a
> >> given
> >> >> >> >> server
> >> >> >> >> >> > certificate.
> >> >> >> >> >>
> >> >> >> >> >> OK
> >> >> >> >> >> I'll try it
> >> >> >> >> >>
> >> >> >> >> >> Thanks
> >> >> >> >> >>
> >> >> >> >> >> >
> >> >> >> >> >> > Sergey
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >> >> >> >> >> >>
> >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
> >> >> sberyozkin@gmail.com
> >> >> >> >:
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Hi
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> I guess this is what Colm is implying, that the actual
> >> problem
> >> >> >> that
> >> >> >> >> it
> >> >> >> >> >> >>> does
> >> >> >> >> >> >>> work.
> >> >> >> >> >> >>> Can it be reproduced by a given server certificate with
> a
> >> >> >> >> self-signed
> >> >> >> >> >> >>> certificate validating it ?
> >> >> >> >> >> >>
> >> >> >> >> >> >>
> >> >> >> >> >> >>
> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to
> >> reproduce
> >> >> it
> >> >> >> .
> >> >> >> >> >> >>
> >> >> >> >> >> >> With a self signed certificate , the behaviour also is
> the
> >> same
> >> >> >> >> >> >> But that makes sense ( for me ) , because your CA is
> >> yourself,
> >> >> so
> >> >> >> you
> >> >> >> >> >> >> could trust on it ( if the certificate is imported into
> your
> >> >> >> keystore
> >> >> >> >> >> >> )
> >> >> >> >> >> >>
> >> >> >> >> >> >> Regards
> >> >> >> >> >> >>
> >> >> >> >> >> >>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Cheers, Sergey
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
> >> >> >> >> coheigea@apache.org>:
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> It does, but only if no truststore has been
> configured in
> >> >> CXF.
> >> >> >> Do
> >> >> >> >> you
> >> >> >> >> >> >>>>> have a
> >> >> >> >> >> >>>>> test-case that reproduces this problem?
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> Thanks, not really
> >> >> >> >> >> >>>> Indeed, it's not a problem because my client works
> fine ,
> >> >> but I
> >> >> >> >> cannot
> >> >> >> >> >> >>>> understand why. I only imported the server
> certificate, no
> >> >> the
> >> >> >> >> others
> >> >> >> >> >> >>>> in chain
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> As I don't know how the underlying certificate
> validation
> >> is
> >> >> >> >> performed
> >> >> >> >> >> >>>> , I don't know if this behaviour is caused by default
> >> >> settings
> >> >> >> in
> >> >> >> >> CXF
> >> >> >> >> >> >>>> or another reason.
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> Regards
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> Colm.
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >> >> >> >> >> >>>>> <de...@gmail.com>
> >> >> >> >> >> >>>>> wrote:
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
> >> >> >> >> coheigea@apache.org
> >> >> >> >> >> >:
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> You are using "keyManagers" instead of
> "trustManagers"
> >> in
> >> >> the
> >> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need
> to
> >> >> >> specify a
> >> >> >> >> key
> >> >> >> >> >> >>>>>>> for
> >> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to
> >> verify
> >> >> >> trust
> >> >> >> >> in
> >> >> >> >> >> the
> >> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
> >> >> configuration
> >> >> >> >> here, I
> >> >> >> >> >> >>>>>>> guess
> >> >> >> >> >> >>>>>>> it is falling back on the default JVM settings
> >> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> <sec:trustManagers>
> >> >> >> >> >> >>>>>> <sec:keyStore type="JKS"
> >> password="*******"
> >> >> >> >> >> >>>>>> resource="truststore.jks"/>
> >> >> >> >> >> >>>>>> </sec:trustManagers>
> >> >> >> >> >> >>>>>> <sec:cipherSuitesFilter>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> >> >> >> >> >> implementation )
> >> >> >> >> >> >>>>>> uses default JVM truststore for checking
> certificates ?
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> Thanks
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> Colm.
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María
> Zaragoza
> >> >> >> >> >> >>>>>>> <de...@gmail.com>
> >> >> >> >> >> >>>>>>> wrote:
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>> Hello:
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
> >> >> >> understand
> >> >> >> >> why
> >> >> >> >> >> my
> >> >> >> >> >> >>>>>>>> client works.
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by
> HTTPS
> >> (SSL
> >> >> >> /TLS)
> >> >> >> >> >> >>>>>>>> This is my settings:
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
> >> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
> >> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS"
> password="xxxxxxxx"
> >> >> >> >> >> >>>>>>>> resource="truststore.jks"/>
> >> >> >> >> >> >>>>>>>> </sec:keyManagers>
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> I've imported SSL server certificate into
> >> truststore.jks
> >> >> >> >> >> >>>>>>>> And it works fine.
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain (
> from .
> >> >> >> >> godaddy.com)
> >> >> >> >> >> ,
> >> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any
> certificate
> >> >> from
> >> >> >> >> godaddy
> >> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate
> ?
> >> >> >> >> >> >>>>>>>> Is not performed some Certification Path
> Validation
> >> >> >> process ?
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> Thanks and regards
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> --
> >> >> >> >> >> >>>>>>> Colm O hEigeartaigh
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> Talend Community Coder
> >> >> >> >> >> >>>>>>> http://coders.talend.com
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> --
> >> >> >> >> >> >>>>> Colm O hEigeartaigh
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> Talend Community Coder
> >> >> >> >> >> >>>>> http://coders.talend.com
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> --
> >> >> >> >> >> >>> Sergey Beryozkin
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Talend Community Coders
> >> >> >> >> >> >>> http://coders.talend.com/
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> > --
> >> >> >> >> > Colm O hEigeartaigh
> >> >> >> >> >
> >> >> >> >> > Talend Community Coder
> >> >> >> >> > http://coders.talend.com
> >> >> >> >>
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > --
> >> >> >> > Colm O hEigeartaigh
> >> >> >> >
> >> >> >> > Talend Community Coder
> >> >> >> > http://coders.talend.com
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Colm O hEigeartaigh
> >> >> >
> >> >> > Talend Community Coder
> >> >> > http://coders.talend.com
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> Talend Community Coder
> >> http://coders.talend.com
> >>
> >>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-27 14:58 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> Why not write a test-case for this scenario?
Done.
In b) mode ( i.e , only the issuer of server certificate is
stored in the truststore ) , when server certificated is expired ,
then client request throws an exception like :
Caused by: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateNotYetValidException:
NotBefore: Mon Mar 02 13:21:48 CET 2015
In a) mode ( i.e , the server certificate is stored in the
truststore ) , when server certificated is expired , then client
request doesn't throw any exception
I wonder if it's possible to disable time checking in b) mode
Thanks
>
> Colm.
>
> On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> But , what is a CA certificate chain for ? I would like don't have to
>> >> verify the trustability of a certificate manually before importing it.
>> >
>> > When you need to verify trust in a certificate, CXF essentially asks your
>> > truststore two questions:
>> >
>> > a) Is this certificate stored in the truststore (direct trust)
>> > b) Is the issuer of this certificate stored in the truststore, and is the
>> > cert chain correct, etc.
>>
>>
>>
>> Sorry ( again ), but one question more:
>>
>> what if I store the trusted CA certificates in ( ie, b mode ) but
>> server certificate has expired ?
>>
>> In a) mode , I know that it is deemed to be trusted , but I'm not sure
>> in b) mode
>>
>> Thanks
>>
>>
>>
>> >
>> > Obviously directly storing certificates in the truststore does not scale.
>> > It might be useful for some scenarios though. The normal way of doing
>> > things is to just store your trusted CA certs in there.
>> >
>> > Colm.
>> >
>> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <
>> demablogia@gmail.com>
>> > wrote:
>> >
>> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> > What is the concept of a "truststore" other than a collection of
>> trusted
>> >> > certificates? If you don't trust the certificate then don't put it in
>> >> > there... :-)
>> >>
>> >> Yes, it's true. :-)
>> >> But , what is a CA certificate chain for ? I would like don't have to
>> >> verify the trustability of a certificate manually before importing it.
>> >>
>> >> Regards
>> >>
>> >>
>> >>
>> >> >
>> >> > Colm.
>> >> >
>> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
>> >> demablogia@gmail.com>
>> >> > wrote:
>> >> >
>> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
>> >:
>> >> >> > No, if the certificate itself is in the truststore then it is
>> deemed
>> >> to
>> >> >> be
>> >> >> > trusted - the CA certificate does not need to be in there as well.
>> >> >> >
>> >> >> > Colm.
>> >> >>
>> >> >>
>> >> >> Thanks.
>> >> >> Is this the standard behaviour in JSSE ?
>> >> >> I think that it should be validated all CA in the chain, to be sure
>> >> >> the certificate is signed by trusted CA
>> >> >>
>> >> >>
>> >> >> >
>> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
>> >> >> demablogia@gmail.com>
>> >> >> > wrote:
>> >> >> >
>> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <
>> coheigea@apache.org
>> >> >:
>> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
>> >> >> >> > https://www.google.com. It works fine when you don't specify
>> any
>> >> >> >> > TLSClientParameters as expected, as it picks up the default
>> >> cacerts.
>> >> >> >> > However, when I added the following it fails (also as expected):
>> >> >> >> >
>> >> >> >> > <http:conduit name="https://.*">
>> >> >> >> > <http:tlsClientParameters disableCNCheck="true">
>> >> >> >> > <sec:trustManagers>
>> >> >> >> > <sec:keyStore type="jks" password="cspass"
>> >> >> >> > resource="clientstore.jks"/>
>> >> >> >> > </sec:trustManagers>
>> >> >> >> > </http:tlsClientParameters>
>> >> >> >> > </http:conduit>
>> >> >> >> >
>> >> >> >> > Colm.
>> >> >> >>
>> >> >> >> OK. That's right.
>> >> >> >> But , if you import Google certificate into clientstore.jks but
>> you
>> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
>> >> should
>> >> >> >> it fail ? This is my question
>> >> >> >> I don't know what is the validation path that JSSE follows
>> >> >> >>
>> >> >> >> Regards
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> >
>> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
>> >> >> >> demablogia@gmail.com>
>> >> >> >> > wrote:
>> >> >> >> >
>> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <
>> sberyozkin@gmail.com
>> >> >:
>> >> >> >> >> > What I meant is that you do use a self signed cert to sign a
>> >> >> >> previously
>> >> >> >> >> > generated certificate but do not import this self signed cert
>> >> into
>> >> >> the
>> >> >> >> >> > truststore which would emulate the same situation you have
>> now
>> >> >> without
>> >> >> >> >> > having to provide a test where well known providers sign a
>> given
>> >> >> >> server
>> >> >> >> >> > certificate.
>> >> >> >> >>
>> >> >> >> >> OK
>> >> >> >> >> I'll try it
>> >> >> >> >>
>> >> >> >> >> Thanks
>> >> >> >> >>
>> >> >> >> >> >
>> >> >> >> >> > Sergey
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >> >> >> >> >>
>> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
>> >> sberyozkin@gmail.com
>> >> >> >:
>> >> >> >> >> >>>
>> >> >> >> >> >>> Hi
>> >> >> >> >> >>>
>> >> >> >> >> >>> I guess this is what Colm is implying, that the actual
>> problem
>> >> >> that
>> >> >> >> it
>> >> >> >> >> >>> does
>> >> >> >> >> >>> work.
>> >> >> >> >> >>> Can it be reproduced by a given server certificate with a
>> >> >> >> self-signed
>> >> >> >> >> >>> certificate validating it ?
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to
>> reproduce
>> >> it
>> >> >> .
>> >> >> >> >> >>
>> >> >> >> >> >> With a self signed certificate , the behaviour also is the
>> same
>> >> >> >> >> >> But that makes sense ( for me ) , because your CA is
>> yourself,
>> >> so
>> >> >> you
>> >> >> >> >> >> could trust on it ( if the certificate is imported into your
>> >> >> keystore
>> >> >> >> >> >> )
>> >> >> >> >> >>
>> >> >> >> >> >> Regards
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >>>
>> >> >> >> >> >>> Cheers, Sergey
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
>> >> >> >> coheigea@apache.org>:
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> It does, but only if no truststore has been configured in
>> >> CXF.
>> >> >> Do
>> >> >> >> you
>> >> >> >> >> >>>>> have a
>> >> >> >> >> >>>>> test-case that reproduces this problem?
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> Thanks, not really
>> >> >> >> >> >>>> Indeed, it's not a problem because my client works fine ,
>> >> but I
>> >> >> >> cannot
>> >> >> >> >> >>>> understand why. I only imported the server certificate, no
>> >> the
>> >> >> >> others
>> >> >> >> >> >>>> in chain
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> As I don't know how the underlying certificate validation
>> is
>> >> >> >> performed
>> >> >> >> >> >>>> , I don't know if this behaviour is caused by default
>> >> settings
>> >> >> in
>> >> >> >> CXF
>> >> >> >> >> >>>> or another reason.
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> Regards
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> Colm.
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >> >> >> >> >>>>> <de...@gmail.com>
>> >> >> >> >> >>>>> wrote:
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
>> >> >> >> coheigea@apache.org
>> >> >> >> >> >:
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers"
>> in
>> >> the
>> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
>> >> >> specify a
>> >> >> >> key
>> >> >> >> >> >>>>>>> for
>> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to
>> verify
>> >> >> trust
>> >> >> >> in
>> >> >> >> >> the
>> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
>> >> configuration
>> >> >> >> here, I
>> >> >> >> >> >>>>>>> guess
>> >> >> >> >> >>>>>>> it is falling back on the default JVM settings
>> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> <sec:trustManagers>
>> >> >> >> >> >>>>>> <sec:keyStore type="JKS"
>> password="*******"
>> >> >> >> >> >>>>>> resource="truststore.jks"/>
>> >> >> >> >> >>>>>> </sec:trustManagers>
>> >> >> >> >> >>>>>> <sec:cipherSuitesFilter>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> >> >> >> >> implementation )
>> >> >> >> >> >>>>>> uses default JVM truststore for checking certificates ?
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> Thanks
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> Colm.
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >> >> >> >> >>>>>>> <de...@gmail.com>
>> >> >> >> >> >>>>>>> wrote:
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>> Hello:
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
>> >> >> understand
>> >> >> >> why
>> >> >> >> >> my
>> >> >> >> >> >>>>>>>> client works.
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS
>> (SSL
>> >> >> /TLS)
>> >> >> >> >> >>>>>>>> This is my settings:
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
>> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
>> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> >> >> >> >>>>>>>> resource="truststore.jks"/>
>> >> >> >> >> >>>>>>>> </sec:keyManagers>
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> I've imported SSL server certificate into
>> truststore.jks
>> >> >> >> >> >>>>>>>> And it works fine.
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
>> >> >> >> godaddy.com)
>> >> >> >> >> ,
>> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate
>> >> from
>> >> >> >> godaddy
>> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate ?
>> >> >> >> >> >>>>>>>> Is not performed some Certification Path Validation
>> >> >> process ?
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> Thanks and regards
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> --
>> >> >> >> >> >>>>>>> Colm O hEigeartaigh
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> Talend Community Coder
>> >> >> >> >> >>>>>>> http://coders.talend.com
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> --
>> >> >> >> >> >>>>> Colm O hEigeartaigh
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> Talend Community Coder
>> >> >> >> >> >>>>> http://coders.talend.com
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>> --
>> >> >> >> >> >>> Sergey Beryozkin
>> >> >> >> >> >>>
>> >> >> >> >> >>> Talend Community Coders
>> >> >> >> >> >>> http://coders.talend.com/
>> >> >> >> >> >>>
>> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >>
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > Colm O hEigeartaigh
>> >> >> >> >
>> >> >> >> > Talend Community Coder
>> >> >> >> > http://coders.talend.com
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Colm O hEigeartaigh
>> >> >> >
>> >> >> > Talend Community Coder
>> >> >> > http://coders.talend.com
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
Why not write a test-case for this scenario?
Colm.
On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >> But , what is a CA certificate chain for ? I would like don't have to
> >> verify the trustability of a certificate manually before importing it.
> >
> > When you need to verify trust in a certificate, CXF essentially asks your
> > truststore two questions:
> >
> > a) Is this certificate stored in the truststore (direct trust)
> > b) Is the issuer of this certificate stored in the truststore, and is the
> > cert chain correct, etc.
>
>
>
> Sorry ( again ), but one question more:
>
> what if I store the trusted CA certificates in ( ie, b mode ) but
> server certificate has expired ?
>
> In a) mode , I know that it is deemed to be trusted , but I'm not sure
> in b) mode
>
> Thanks
>
>
>
> >
> > Obviously directly storing certificates in the truststore does not scale.
> > It might be useful for some scenarios though. The normal way of doing
> > things is to just store your trusted CA certs in there.
> >
> > Colm.
> >
> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >> > What is the concept of a "truststore" other than a collection of
> trusted
> >> > certificates? If you don't trust the certificate then don't put it in
> >> > there... :-)
> >>
> >> Yes, it's true. :-)
> >> But , what is a CA certificate chain for ? I would like don't have to
> >> verify the trustability of a certificate manually before importing it.
> >>
> >> Regards
> >>
> >>
> >>
> >> >
> >> > Colm.
> >> >
> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
> >> demablogia@gmail.com>
> >> > wrote:
> >> >
> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
> >:
> >> >> > No, if the certificate itself is in the truststore then it is
> deemed
> >> to
> >> >> be
> >> >> > trusted - the CA certificate does not need to be in there as well.
> >> >> >
> >> >> > Colm.
> >> >>
> >> >>
> >> >> Thanks.
> >> >> Is this the standard behaviour in JSSE ?
> >> >> I think that it should be validated all CA in the chain, to be sure
> >> >> the certificate is signed by trusted CA
> >> >>
> >> >>
> >> >> >
> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
> >> >> demablogia@gmail.com>
> >> >> > wrote:
> >> >> >
> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <
> coheigea@apache.org
> >> >:
> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
> >> >> >> > https://www.google.com. It works fine when you don't specify
> any
> >> >> >> > TLSClientParameters as expected, as it picks up the default
> >> cacerts.
> >> >> >> > However, when I added the following it fails (also as expected):
> >> >> >> >
> >> >> >> > <http:conduit name="https://.*">
> >> >> >> > <http:tlsClientParameters disableCNCheck="true">
> >> >> >> > <sec:trustManagers>
> >> >> >> > <sec:keyStore type="jks" password="cspass"
> >> >> >> > resource="clientstore.jks"/>
> >> >> >> > </sec:trustManagers>
> >> >> >> > </http:tlsClientParameters>
> >> >> >> > </http:conduit>
> >> >> >> >
> >> >> >> > Colm.
> >> >> >>
> >> >> >> OK. That's right.
> >> >> >> But , if you import Google certificate into clientstore.jks but
> you
> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
> >> should
> >> >> >> it fail ? This is my question
> >> >> >> I don't know what is the validation path that JSSE follows
> >> >> >>
> >> >> >> Regards
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> >
> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
> >> >> >> demablogia@gmail.com>
> >> >> >> > wrote:
> >> >> >> >
> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <
> sberyozkin@gmail.com
> >> >:
> >> >> >> >> > What I meant is that you do use a self signed cert to sign a
> >> >> >> previously
> >> >> >> >> > generated certificate but do not import this self signed cert
> >> into
> >> >> the
> >> >> >> >> > truststore which would emulate the same situation you have
> now
> >> >> without
> >> >> >> >> > having to provide a test where well known providers sign a
> given
> >> >> >> server
> >> >> >> >> > certificate.
> >> >> >> >>
> >> >> >> >> OK
> >> >> >> >> I'll try it
> >> >> >> >>
> >> >> >> >> Thanks
> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> > Sergey
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >> >> >> >> >>
> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
> >> sberyozkin@gmail.com
> >> >> >:
> >> >> >> >> >>>
> >> >> >> >> >>> Hi
> >> >> >> >> >>>
> >> >> >> >> >>> I guess this is what Colm is implying, that the actual
> problem
> >> >> that
> >> >> >> it
> >> >> >> >> >>> does
> >> >> >> >> >>> work.
> >> >> >> >> >>> Can it be reproduced by a given server certificate with a
> >> >> >> self-signed
> >> >> >> >> >>> certificate validating it ?
> >> >> >> >> >>
> >> >> >> >> >>
> >> >> >> >> >>
> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to
> reproduce
> >> it
> >> >> .
> >> >> >> >> >>
> >> >> >> >> >> With a self signed certificate , the behaviour also is the
> same
> >> >> >> >> >> But that makes sense ( for me ) , because your CA is
> yourself,
> >> so
> >> >> you
> >> >> >> >> >> could trust on it ( if the certificate is imported into your
> >> >> keystore
> >> >> >> >> >> )
> >> >> >> >> >>
> >> >> >> >> >> Regards
> >> >> >> >> >>
> >> >> >> >> >>
> >> >> >> >> >>>
> >> >> >> >> >>> Cheers, Sergey
> >> >> >> >> >>>
> >> >> >> >> >>>
> >> >> >> >> >>>
> >> >> >> >> >>>
> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >> >> >> >> >>>>
> >> >> >> >> >>>>
> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
> >> >> >> coheigea@apache.org>:
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>> It does, but only if no truststore has been configured in
> >> CXF.
> >> >> Do
> >> >> >> you
> >> >> >> >> >>>>> have a
> >> >> >> >> >>>>> test-case that reproduces this problem?
> >> >> >> >> >>>>
> >> >> >> >> >>>>
> >> >> >> >> >>>>
> >> >> >> >> >>>>
> >> >> >> >> >>>> Thanks, not really
> >> >> >> >> >>>> Indeed, it's not a problem because my client works fine ,
> >> but I
> >> >> >> cannot
> >> >> >> >> >>>> understand why. I only imported the server certificate, no
> >> the
> >> >> >> others
> >> >> >> >> >>>> in chain
> >> >> >> >> >>>>
> >> >> >> >> >>>> As I don't know how the underlying certificate validation
> is
> >> >> >> performed
> >> >> >> >> >>>> , I don't know if this behaviour is caused by default
> >> settings
> >> >> in
> >> >> >> CXF
> >> >> >> >> >>>> or another reason.
> >> >> >> >> >>>>
> >> >> >> >> >>>> Regards
> >> >> >> >> >>>>
> >> >> >> >> >>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>> Colm.
> >> >> >> >> >>>>>
> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >> >> >> >> >>>>> <de...@gmail.com>
> >> >> >> >> >>>>> wrote:
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
> >> >> >> coheigea@apache.org
> >> >> >> >> >:
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers"
> in
> >> the
> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
> >> >> specify a
> >> >> >> key
> >> >> >> >> >>>>>>> for
> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to
> verify
> >> >> trust
> >> >> >> in
> >> >> >> >> the
> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
> >> configuration
> >> >> >> here, I
> >> >> >> >> >>>>>>> guess
> >> >> >> >> >>>>>>> it is falling back on the default JVM settings
> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>> <sec:trustManagers>
> >> >> >> >> >>>>>> <sec:keyStore type="JKS"
> password="*******"
> >> >> >> >> >>>>>> resource="truststore.jks"/>
> >> >> >> >> >>>>>> </sec:trustManagers>
> >> >> >> >> >>>>>> <sec:cipherSuitesFilter>
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> >> >> >> >> implementation )
> >> >> >> >> >>>>>> uses default JVM truststore for checking certificates ?
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>> Thanks
> >> >> >> >> >>>>>>
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>> Colm.
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
> >> >> >> >> >>>>>>> <de...@gmail.com>
> >> >> >> >> >>>>>>> wrote:
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>>> Hello:
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
> >> >> understand
> >> >> >> why
> >> >> >> >> my
> >> >> >> >> >>>>>>>> client works.
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS
> (SSL
> >> >> /TLS)
> >> >> >> >> >>>>>>>> This is my settings:
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
> >> >> >> >> >>>>>>>> resource="truststore.jks"/>
> >> >> >> >> >>>>>>>> </sec:keyManagers>
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>> I've imported SSL server certificate into
> truststore.jks
> >> >> >> >> >>>>>>>> And it works fine.
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
> >> >> >> godaddy.com)
> >> >> >> >> ,
> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate
> >> from
> >> >> >> godaddy
> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate ?
> >> >> >> >> >>>>>>>> Is not performed some Certification Path Validation
> >> >> process ?
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>> Thanks and regards
> >> >> >> >> >>>>>>>>
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>> --
> >> >> >> >> >>>>>>> Colm O hEigeartaigh
> >> >> >> >> >>>>>>>
> >> >> >> >> >>>>>>> Talend Community Coder
> >> >> >> >> >>>>>>> http://coders.talend.com
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>>
> >> >> >> >> >>>>> --
> >> >> >> >> >>>>> Colm O hEigeartaigh
> >> >> >> >> >>>>>
> >> >> >> >> >>>>> Talend Community Coder
> >> >> >> >> >>>>> http://coders.talend.com
> >> >> >> >> >>>
> >> >> >> >> >>>
> >> >> >> >> >>>
> >> >> >> >> >>>
> >> >> >> >> >>> --
> >> >> >> >> >>> Sergey Beryozkin
> >> >> >> >> >>>
> >> >> >> >> >>> Talend Community Coders
> >> >> >> >> >>> http://coders.talend.com/
> >> >> >> >> >>>
> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > --
> >> >> >> > Colm O hEigeartaigh
> >> >> >> >
> >> >> >> > Talend Community Coder
> >> >> >> > http://coders.talend.com
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Colm O hEigeartaigh
> >> >> >
> >> >> > Talend Community Coder
> >> >> > http://coders.talend.com
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> But , what is a CA certificate chain for ? I would like don't have to
>> verify the trustability of a certificate manually before importing it.
>
> When you need to verify trust in a certificate, CXF essentially asks your
> truststore two questions:
>
> a) Is this certificate stored in the truststore (direct trust)
> b) Is the issuer of this certificate stored in the truststore, and is the
> cert chain correct, etc.
Sorry ( again ), but one question more:
what if I store the trusted CA certificates in ( ie, b mode ) but
server certificate has expired ?
In a) mode , I know that it is deemed to be trusted , but I'm not sure
in b) mode
Thanks
>
> Obviously directly storing certificates in the truststore does not scale.
> It might be useful for some scenarios though. The normal way of doing
> things is to just store your trusted CA certs in there.
>
> Colm.
>
> On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> > What is the concept of a "truststore" other than a collection of trusted
>> > certificates? If you don't trust the certificate then don't put it in
>> > there... :-)
>>
>> Yes, it's true. :-)
>> But , what is a CA certificate chain for ? I would like don't have to
>> verify the trustability of a certificate manually before importing it.
>>
>> Regards
>>
>>
>>
>> >
>> > Colm.
>> >
>> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
>> demablogia@gmail.com>
>> > wrote:
>> >
>> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> > No, if the certificate itself is in the truststore then it is deemed
>> to
>> >> be
>> >> > trusted - the CA certificate does not need to be in there as well.
>> >> >
>> >> > Colm.
>> >>
>> >>
>> >> Thanks.
>> >> Is this the standard behaviour in JSSE ?
>> >> I think that it should be validated all CA in the chain, to be sure
>> >> the certificate is signed by trusted CA
>> >>
>> >>
>> >> >
>> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
>> >> demablogia@gmail.com>
>> >> > wrote:
>> >> >
>> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
>> >:
>> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
>> >> >> > https://www.google.com. It works fine when you don't specify any
>> >> >> > TLSClientParameters as expected, as it picks up the default
>> cacerts.
>> >> >> > However, when I added the following it fails (also as expected):
>> >> >> >
>> >> >> > <http:conduit name="https://.*">
>> >> >> > <http:tlsClientParameters disableCNCheck="true">
>> >> >> > <sec:trustManagers>
>> >> >> > <sec:keyStore type="jks" password="cspass"
>> >> >> > resource="clientstore.jks"/>
>> >> >> > </sec:trustManagers>
>> >> >> > </http:tlsClientParameters>
>> >> >> > </http:conduit>
>> >> >> >
>> >> >> > Colm.
>> >> >>
>> >> >> OK. That's right.
>> >> >> But , if you import Google certificate into clientstore.jks but you
>> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
>> should
>> >> >> it fail ? This is my question
>> >> >> I don't know what is the validation path that JSSE follows
>> >> >>
>> >> >> Regards
>> >> >>
>> >> >>
>> >> >>
>> >> >> >
>> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
>> >> >> demablogia@gmail.com>
>> >> >> > wrote:
>> >> >> >
>> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com
>> >:
>> >> >> >> > What I meant is that you do use a self signed cert to sign a
>> >> >> previously
>> >> >> >> > generated certificate but do not import this self signed cert
>> into
>> >> the
>> >> >> >> > truststore which would emulate the same situation you have now
>> >> without
>> >> >> >> > having to provide a test where well known providers sign a given
>> >> >> server
>> >> >> >> > certificate.
>> >> >> >>
>> >> >> >> OK
>> >> >> >> I'll try it
>> >> >> >>
>> >> >> >> Thanks
>> >> >> >>
>> >> >> >> >
>> >> >> >> > Sergey
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >> >> >> >>
>> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
>> sberyozkin@gmail.com
>> >> >:
>> >> >> >> >>>
>> >> >> >> >>> Hi
>> >> >> >> >>>
>> >> >> >> >>> I guess this is what Colm is implying, that the actual problem
>> >> that
>> >> >> it
>> >> >> >> >>> does
>> >> >> >> >>> work.
>> >> >> >> >>> Can it be reproduced by a given server certificate with a
>> >> >> self-signed
>> >> >> >> >>> certificate validating it ?
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce
>> it
>> >> .
>> >> >> >> >>
>> >> >> >> >> With a self signed certificate , the behaviour also is the same
>> >> >> >> >> But that makes sense ( for me ) , because your CA is yourself,
>> so
>> >> you
>> >> >> >> >> could trust on it ( if the certificate is imported into your
>> >> keystore
>> >> >> >> >> )
>> >> >> >> >>
>> >> >> >> >> Regards
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>>
>> >> >> >> >>> Cheers, Sergey
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
>> >> >> coheigea@apache.org>:
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>> It does, but only if no truststore has been configured in
>> CXF.
>> >> Do
>> >> >> you
>> >> >> >> >>>>> have a
>> >> >> >> >>>>> test-case that reproduces this problem?
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>> Thanks, not really
>> >> >> >> >>>> Indeed, it's not a problem because my client works fine ,
>> but I
>> >> >> cannot
>> >> >> >> >>>> understand why. I only imported the server certificate, no
>> the
>> >> >> others
>> >> >> >> >>>> in chain
>> >> >> >> >>>>
>> >> >> >> >>>> As I don't know how the underlying certificate validation is
>> >> >> performed
>> >> >> >> >>>> , I don't know if this behaviour is caused by default
>> settings
>> >> in
>> >> >> CXF
>> >> >> >> >>>> or another reason.
>> >> >> >> >>>>
>> >> >> >> >>>> Regards
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>> Colm.
>> >> >> >> >>>>>
>> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >> >> >> >>>>> <de...@gmail.com>
>> >> >> >> >>>>> wrote:
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
>> >> >> coheigea@apache.org
>> >> >> >> >:
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in
>> the
>> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
>> >> specify a
>> >> >> key
>> >> >> >> >>>>>>> for
>> >> >> >> >>>>>>> client authentication. "trustManagers" is used to verify
>> >> trust
>> >> >> in
>> >> >> >> the
>> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
>> configuration
>> >> >> here, I
>> >> >> >> >>>>>>> guess
>> >> >> >> >>>>>>> it is falling back on the default JVM settings
>> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> <sec:trustManagers>
>> >> >> >> >>>>>> <sec:keyStore type="JKS" password="*******"
>> >> >> >> >>>>>> resource="truststore.jks"/>
>> >> >> >> >>>>>> </sec:trustManagers>
>> >> >> >> >>>>>> <sec:cipherSuitesFilter>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> >> >> >> implementation )
>> >> >> >> >>>>>> uses default JVM truststore for checking certificates ?
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> Thanks
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> Colm.
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >> >> >> >>>>>>> <de...@gmail.com>
>> >> >> >> >>>>>>> wrote:
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>> Hello:
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
>> >> understand
>> >> >> why
>> >> >> >> my
>> >> >> >> >>>>>>>> client works.
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL
>> >> /TLS)
>> >> >> >> >>>>>>>> This is my settings:
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
>> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
>> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> >> >> >>>>>>>> resource="truststore.jks"/>
>> >> >> >> >>>>>>>> </sec:keyManagers>
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
>> >> >> >> >>>>>>>> And it works fine.
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
>> >> >> godaddy.com)
>> >> >> >> ,
>> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate
>> from
>> >> >> godaddy
>> >> >> >> >>>>>>>> Why does my client trust in the server certificate ?
>> >> >> >> >>>>>>>> Is not performed some Certification Path Validation
>> >> process ?
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> Thanks and regards
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> --
>> >> >> >> >>>>>>> Colm O hEigeartaigh
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> Talend Community Coder
>> >> >> >> >>>>>>> http://coders.talend.com
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>> --
>> >> >> >> >>>>> Colm O hEigeartaigh
>> >> >> >> >>>>>
>> >> >> >> >>>>> Talend Community Coder
>> >> >> >> >>>>> http://coders.talend.com
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> --
>> >> >> >> >>> Sergey Beryozkin
>> >> >> >> >>>
>> >> >> >> >>> Talend Community Coders
>> >> >> >> >>> http://coders.talend.com/
>> >> >> >> >>>
>> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Colm O hEigeartaigh
>> >> >> >
>> >> >> > Talend Community Coder
>> >> >> > http://coders.talend.com
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> But , what is a CA certificate chain for ? I would like don't have to
>> verify the trustability of a certificate manually before importing it.
>
> When you need to verify trust in a certificate, CXF essentially asks your
> truststore two questions:
>
> a) Is this certificate stored in the truststore (direct trust)
> b) Is the issuer of this certificate stored in the truststore, and is the
> cert chain correct, etc.
I did't know b) step .
That's enough for me , then
Thanks
>
> Obviously directly storing certificates in the truststore does not scale.
> It might be useful for some scenarios though. The normal way of doing
> things is to just store your trusted CA certs in there.
>
> Colm.
>
> On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> > What is the concept of a "truststore" other than a collection of trusted
>> > certificates? If you don't trust the certificate then don't put it in
>> > there... :-)
>>
>> Yes, it's true. :-)
>> But , what is a CA certificate chain for ? I would like don't have to
>> verify the trustability of a certificate manually before importing it.
>>
>> Regards
>>
>>
>>
>> >
>> > Colm.
>> >
>> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
>> demablogia@gmail.com>
>> > wrote:
>> >
>> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> > No, if the certificate itself is in the truststore then it is deemed
>> to
>> >> be
>> >> > trusted - the CA certificate does not need to be in there as well.
>> >> >
>> >> > Colm.
>> >>
>> >>
>> >> Thanks.
>> >> Is this the standard behaviour in JSSE ?
>> >> I think that it should be validated all CA in the chain, to be sure
>> >> the certificate is signed by trusted CA
>> >>
>> >>
>> >> >
>> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
>> >> demablogia@gmail.com>
>> >> > wrote:
>> >> >
>> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
>> >:
>> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
>> >> >> > https://www.google.com. It works fine when you don't specify any
>> >> >> > TLSClientParameters as expected, as it picks up the default
>> cacerts.
>> >> >> > However, when I added the following it fails (also as expected):
>> >> >> >
>> >> >> > <http:conduit name="https://.*">
>> >> >> > <http:tlsClientParameters disableCNCheck="true">
>> >> >> > <sec:trustManagers>
>> >> >> > <sec:keyStore type="jks" password="cspass"
>> >> >> > resource="clientstore.jks"/>
>> >> >> > </sec:trustManagers>
>> >> >> > </http:tlsClientParameters>
>> >> >> > </http:conduit>
>> >> >> >
>> >> >> > Colm.
>> >> >>
>> >> >> OK. That's right.
>> >> >> But , if you import Google certificate into clientstore.jks but you
>> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
>> should
>> >> >> it fail ? This is my question
>> >> >> I don't know what is the validation path that JSSE follows
>> >> >>
>> >> >> Regards
>> >> >>
>> >> >>
>> >> >>
>> >> >> >
>> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
>> >> >> demablogia@gmail.com>
>> >> >> > wrote:
>> >> >> >
>> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com
>> >:
>> >> >> >> > What I meant is that you do use a self signed cert to sign a
>> >> >> previously
>> >> >> >> > generated certificate but do not import this self signed cert
>> into
>> >> the
>> >> >> >> > truststore which would emulate the same situation you have now
>> >> without
>> >> >> >> > having to provide a test where well known providers sign a given
>> >> >> server
>> >> >> >> > certificate.
>> >> >> >>
>> >> >> >> OK
>> >> >> >> I'll try it
>> >> >> >>
>> >> >> >> Thanks
>> >> >> >>
>> >> >> >> >
>> >> >> >> > Sergey
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >> >> >> >>
>> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
>> sberyozkin@gmail.com
>> >> >:
>> >> >> >> >>>
>> >> >> >> >>> Hi
>> >> >> >> >>>
>> >> >> >> >>> I guess this is what Colm is implying, that the actual problem
>> >> that
>> >> >> it
>> >> >> >> >>> does
>> >> >> >> >>> work.
>> >> >> >> >>> Can it be reproduced by a given server certificate with a
>> >> >> self-signed
>> >> >> >> >>> certificate validating it ?
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce
>> it
>> >> .
>> >> >> >> >>
>> >> >> >> >> With a self signed certificate , the behaviour also is the same
>> >> >> >> >> But that makes sense ( for me ) , because your CA is yourself,
>> so
>> >> you
>> >> >> >> >> could trust on it ( if the certificate is imported into your
>> >> keystore
>> >> >> >> >> )
>> >> >> >> >>
>> >> >> >> >> Regards
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>>
>> >> >> >> >>> Cheers, Sergey
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
>> >> >> coheigea@apache.org>:
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>> It does, but only if no truststore has been configured in
>> CXF.
>> >> Do
>> >> >> you
>> >> >> >> >>>>> have a
>> >> >> >> >>>>> test-case that reproduces this problem?
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>> Thanks, not really
>> >> >> >> >>>> Indeed, it's not a problem because my client works fine ,
>> but I
>> >> >> cannot
>> >> >> >> >>>> understand why. I only imported the server certificate, no
>> the
>> >> >> others
>> >> >> >> >>>> in chain
>> >> >> >> >>>>
>> >> >> >> >>>> As I don't know how the underlying certificate validation is
>> >> >> performed
>> >> >> >> >>>> , I don't know if this behaviour is caused by default
>> settings
>> >> in
>> >> >> CXF
>> >> >> >> >>>> or another reason.
>> >> >> >> >>>>
>> >> >> >> >>>> Regards
>> >> >> >> >>>>
>> >> >> >> >>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>> Colm.
>> >> >> >> >>>>>
>> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >> >> >> >>>>> <de...@gmail.com>
>> >> >> >> >>>>> wrote:
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
>> >> >> coheigea@apache.org
>> >> >> >> >:
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in
>> the
>> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
>> >> specify a
>> >> >> key
>> >> >> >> >>>>>>> for
>> >> >> >> >>>>>>> client authentication. "trustManagers" is used to verify
>> >> trust
>> >> >> in
>> >> >> >> the
>> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
>> configuration
>> >> >> here, I
>> >> >> >> >>>>>>> guess
>> >> >> >> >>>>>>> it is falling back on the default JVM settings
>> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> <sec:trustManagers>
>> >> >> >> >>>>>> <sec:keyStore type="JKS" password="*******"
>> >> >> >> >>>>>> resource="truststore.jks"/>
>> >> >> >> >>>>>> </sec:trustManagers>
>> >> >> >> >>>>>> <sec:cipherSuitesFilter>
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> >> >> >> implementation )
>> >> >> >> >>>>>> uses default JVM truststore for checking certificates ?
>> >> >> >> >>>>>>
>> >> >> >> >>>>>> Thanks
>> >> >> >> >>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> Colm.
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >> >> >> >>>>>>> <de...@gmail.com>
>> >> >> >> >>>>>>> wrote:
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>> Hello:
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
>> >> understand
>> >> >> why
>> >> >> >> my
>> >> >> >> >>>>>>>> client works.
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL
>> >> /TLS)
>> >> >> >> >>>>>>>> This is my settings:
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
>> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
>> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> >> >> >>>>>>>> resource="truststore.jks"/>
>> >> >> >> >>>>>>>> </sec:keyManagers>
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
>> >> >> >> >>>>>>>> And it works fine.
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
>> >> >> godaddy.com)
>> >> >> >> ,
>> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate
>> from
>> >> >> godaddy
>> >> >> >> >>>>>>>> Why does my client trust in the server certificate ?
>> >> >> >> >>>>>>>> Is not performed some Certification Path Validation
>> >> process ?
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>> Thanks and regards
>> >> >> >> >>>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> --
>> >> >> >> >>>>>>> Colm O hEigeartaigh
>> >> >> >> >>>>>>>
>> >> >> >> >>>>>>> Talend Community Coder
>> >> >> >> >>>>>>> http://coders.talend.com
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>>
>> >> >> >> >>>>> --
>> >> >> >> >>>>> Colm O hEigeartaigh
>> >> >> >> >>>>>
>> >> >> >> >>>>> Talend Community Coder
>> >> >> >> >>>>> http://coders.talend.com
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> --
>> >> >> >> >>> Sergey Beryozkin
>> >> >> >> >>>
>> >> >> >> >>> Talend Community Coders
>> >> >> >> >>> http://coders.talend.com/
>> >> >> >> >>>
>> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Colm O hEigeartaigh
>> >> >> >
>> >> >> > Talend Community Coder
>> >> >> > http://coders.talend.com
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
> But , what is a CA certificate chain for ? I would like don't have to
> verify the trustability of a certificate manually before importing it.
When you need to verify trust in a certificate, CXF essentially asks your
truststore two questions:
a) Is this certificate stored in the truststore (direct trust)
b) Is the issuer of this certificate stored in the truststore, and is the
cert chain correct, etc.
Obviously directly storing certificates in the truststore does not scale.
It might be useful for some scenarios though. The normal way of doing
things is to just store your trusted CA certs in there.
Colm.
On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> > What is the concept of a "truststore" other than a collection of trusted
> > certificates? If you don't trust the certificate then don't put it in
> > there... :-)
>
> Yes, it's true. :-)
> But , what is a CA certificate chain for ? I would like don't have to
> verify the trustability of a certificate manually before importing it.
>
> Regards
>
>
>
> >
> > Colm.
> >
> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >> > No, if the certificate itself is in the truststore then it is deemed
> to
> >> be
> >> > trusted - the CA certificate does not need to be in there as well.
> >> >
> >> > Colm.
> >>
> >>
> >> Thanks.
> >> Is this the standard behaviour in JSSE ?
> >> I think that it should be validated all CA in the chain, to be sure
> >> the certificate is signed by trusted CA
> >>
> >>
> >> >
> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
> >> demablogia@gmail.com>
> >> > wrote:
> >> >
> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
> >:
> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
> >> >> > https://www.google.com. It works fine when you don't specify any
> >> >> > TLSClientParameters as expected, as it picks up the default
> cacerts.
> >> >> > However, when I added the following it fails (also as expected):
> >> >> >
> >> >> > <http:conduit name="https://.*">
> >> >> > <http:tlsClientParameters disableCNCheck="true">
> >> >> > <sec:trustManagers>
> >> >> > <sec:keyStore type="jks" password="cspass"
> >> >> > resource="clientstore.jks"/>
> >> >> > </sec:trustManagers>
> >> >> > </http:tlsClientParameters>
> >> >> > </http:conduit>
> >> >> >
> >> >> > Colm.
> >> >>
> >> >> OK. That's right.
> >> >> But , if you import Google certificate into clientstore.jks but you
> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
> should
> >> >> it fail ? This is my question
> >> >> I don't know what is the validation path that JSSE follows
> >> >>
> >> >> Regards
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
> >> >> demablogia@gmail.com>
> >> >> > wrote:
> >> >> >
> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com
> >:
> >> >> >> > What I meant is that you do use a self signed cert to sign a
> >> >> previously
> >> >> >> > generated certificate but do not import this self signed cert
> into
> >> the
> >> >> >> > truststore which would emulate the same situation you have now
> >> without
> >> >> >> > having to provide a test where well known providers sign a given
> >> >> server
> >> >> >> > certificate.
> >> >> >>
> >> >> >> OK
> >> >> >> I'll try it
> >> >> >>
> >> >> >> Thanks
> >> >> >>
> >> >> >> >
> >> >> >> > Sergey
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >> >> >> >>
> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
> sberyozkin@gmail.com
> >> >:
> >> >> >> >>>
> >> >> >> >>> Hi
> >> >> >> >>>
> >> >> >> >>> I guess this is what Colm is implying, that the actual problem
> >> that
> >> >> it
> >> >> >> >>> does
> >> >> >> >>> work.
> >> >> >> >>> Can it be reproduced by a given server certificate with a
> >> >> self-signed
> >> >> >> >>> certificate validating it ?
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce
> it
> >> .
> >> >> >> >>
> >> >> >> >> With a self signed certificate , the behaviour also is the same
> >> >> >> >> But that makes sense ( for me ) , because your CA is yourself,
> so
> >> you
> >> >> >> >> could trust on it ( if the certificate is imported into your
> >> keystore
> >> >> >> >> )
> >> >> >> >>
> >> >> >> >> Regards
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>>
> >> >> >> >>> Cheers, Sergey
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >> >> >> >>>>
> >> >> >> >>>>
> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
> >> >> coheigea@apache.org>:
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>> It does, but only if no truststore has been configured in
> CXF.
> >> Do
> >> >> you
> >> >> >> >>>>> have a
> >> >> >> >>>>> test-case that reproduces this problem?
> >> >> >> >>>>
> >> >> >> >>>>
> >> >> >> >>>>
> >> >> >> >>>>
> >> >> >> >>>> Thanks, not really
> >> >> >> >>>> Indeed, it's not a problem because my client works fine ,
> but I
> >> >> cannot
> >> >> >> >>>> understand why. I only imported the server certificate, no
> the
> >> >> others
> >> >> >> >>>> in chain
> >> >> >> >>>>
> >> >> >> >>>> As I don't know how the underlying certificate validation is
> >> >> performed
> >> >> >> >>>> , I don't know if this behaviour is caused by default
> settings
> >> in
> >> >> CXF
> >> >> >> >>>> or another reason.
> >> >> >> >>>>
> >> >> >> >>>> Regards
> >> >> >> >>>>
> >> >> >> >>>>
> >> >> >> >>>>>
> >> >> >> >>>>> Colm.
> >> >> >> >>>>>
> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >> >> >> >>>>> <de...@gmail.com>
> >> >> >> >>>>> wrote:
> >> >> >> >>>>>>
> >> >> >> >>>>>>
> >> >> >> >>>>>>
> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
> >> >> coheigea@apache.org
> >> >> >> >:
> >> >> >> >>>>>>>
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in
> the
> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
> >> specify a
> >> >> key
> >> >> >> >>>>>>> for
> >> >> >> >>>>>>> client authentication. "trustManagers" is used to verify
> >> trust
> >> >> in
> >> >> >> the
> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
> configuration
> >> >> here, I
> >> >> >> >>>>>>> guess
> >> >> >> >>>>>>> it is falling back on the default JVM settings
> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
> >> >> >> >>>>>>
> >> >> >> >>>>>>
> >> >> >> >>>>>>
> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >> >> >> >>>>>>
> >> >> >> >>>>>> <sec:trustManagers>
> >> >> >> >>>>>> <sec:keyStore type="JKS" password="*******"
> >> >> >> >>>>>> resource="truststore.jks"/>
> >> >> >> >>>>>> </sec:trustManagers>
> >> >> >> >>>>>> <sec:cipherSuitesFilter>
> >> >> >> >>>>>>
> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> >> >> >> implementation )
> >> >> >> >>>>>> uses default JVM truststore for checking certificates ?
> >> >> >> >>>>>>
> >> >> >> >>>>>> Thanks
> >> >> >> >>>>>>
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> Colm.
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
> >> >> >> >>>>>>> <de...@gmail.com>
> >> >> >> >>>>>>> wrote:
> >> >> >> >>>>>>>
> >> >> >> >>>>>>>> Hello:
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
> >> understand
> >> >> why
> >> >> >> my
> >> >> >> >>>>>>>> client works.
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL
> >> /TLS)
> >> >> >> >>>>>>>> This is my settings:
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
> >> >> >> >>>>>>>> resource="truststore.jks"/>
> >> >> >> >>>>>>>> </sec:keyManagers>
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
> >> >> >> >>>>>>>> And it works fine.
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
> >> >> godaddy.com)
> >> >> >> ,
> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate
> from
> >> >> godaddy
> >> >> >> >>>>>>>> Why does my client trust in the server certificate ?
> >> >> >> >>>>>>>> Is not performed some Certification Path Validation
> >> process ?
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>> Thanks and regards
> >> >> >> >>>>>>>>
> >> >> >> >>>>>>>
> >> >> >> >>>>>>>
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> --
> >> >> >> >>>>>>> Colm O hEigeartaigh
> >> >> >> >>>>>>>
> >> >> >> >>>>>>> Talend Community Coder
> >> >> >> >>>>>>> http://coders.talend.com
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>>
> >> >> >> >>>>> --
> >> >> >> >>>>> Colm O hEigeartaigh
> >> >> >> >>>>>
> >> >> >> >>>>> Talend Community Coder
> >> >> >> >>>>> http://coders.talend.com
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>> --
> >> >> >> >>> Sergey Beryozkin
> >> >> >> >>>
> >> >> >> >>> Talend Community Coders
> >> >> >> >>> http://coders.talend.com/
> >> >> >> >>>
> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Colm O hEigeartaigh
> >> >> >
> >> >> > Talend Community Coder
> >> >> > http://coders.talend.com
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> What is the concept of a "truststore" other than a collection of trusted
> certificates? If you don't trust the certificate then don't put it in
> there... :-)
Yes, it's true. :-)
But , what is a CA certificate chain for ? I would like don't have to
verify the trustability of a certificate manually before importing it.
Regards
>
> Colm.
>
> On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> > No, if the certificate itself is in the truststore then it is deemed to
>> be
>> > trusted - the CA certificate does not need to be in there as well.
>> >
>> > Colm.
>>
>>
>> Thanks.
>> Is this the standard behaviour in JSSE ?
>> I think that it should be validated all CA in the chain, to be sure
>> the certificate is signed by trusted CA
>>
>>
>> >
>> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
>> demablogia@gmail.com>
>> > wrote:
>> >
>> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> > I did a quick test using CXF's WebClient doing a "GET" on
>> >> > https://www.google.com. It works fine when you don't specify any
>> >> > TLSClientParameters as expected, as it picks up the default cacerts.
>> >> > However, when I added the following it fails (also as expected):
>> >> >
>> >> > <http:conduit name="https://.*">
>> >> > <http:tlsClientParameters disableCNCheck="true">
>> >> > <sec:trustManagers>
>> >> > <sec:keyStore type="jks" password="cspass"
>> >> > resource="clientstore.jks"/>
>> >> > </sec:trustManagers>
>> >> > </http:tlsClientParameters>
>> >> > </http:conduit>
>> >> >
>> >> > Colm.
>> >>
>> >> OK. That's right.
>> >> But , if you import Google certificate into clientstore.jks but you
>> >> don't import its CA certificate ( GeoTrust CA , in this case ), should
>> >> it fail ? This is my question
>> >> I don't know what is the validation path that JSSE follows
>> >>
>> >> Regards
>> >>
>> >>
>> >>
>> >> >
>> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
>> >> demablogia@gmail.com>
>> >> > wrote:
>> >> >
>> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>> >> >> > What I meant is that you do use a self signed cert to sign a
>> >> previously
>> >> >> > generated certificate but do not import this self signed cert into
>> the
>> >> >> > truststore which would emulate the same situation you have now
>> without
>> >> >> > having to provide a test where well known providers sign a given
>> >> server
>> >> >> > certificate.
>> >> >>
>> >> >> OK
>> >> >> I'll try it
>> >> >>
>> >> >> Thanks
>> >> >>
>> >> >> >
>> >> >> > Sergey
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >> >> >>
>> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com
>> >:
>> >> >> >>>
>> >> >> >>> Hi
>> >> >> >>>
>> >> >> >>> I guess this is what Colm is implying, that the actual problem
>> that
>> >> it
>> >> >> >>> does
>> >> >> >>> work.
>> >> >> >>> Can it be reproduced by a given server certificate with a
>> >> self-signed
>> >> >> >>> certificate validating it ?
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it
>> .
>> >> >> >>
>> >> >> >> With a self signed certificate , the behaviour also is the same
>> >> >> >> But that makes sense ( for me ) , because your CA is yourself, so
>> you
>> >> >> >> could trust on it ( if the certificate is imported into your
>> keystore
>> >> >> >> )
>> >> >> >>
>> >> >> >> Regards
>> >> >> >>
>> >> >> >>
>> >> >> >>>
>> >> >> >>> Cheers, Sergey
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
>> >> coheigea@apache.org>:
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> It does, but only if no truststore has been configured in CXF.
>> Do
>> >> you
>> >> >> >>>>> have a
>> >> >> >>>>> test-case that reproduces this problem?
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> Thanks, not really
>> >> >> >>>> Indeed, it's not a problem because my client works fine , but I
>> >> cannot
>> >> >> >>>> understand why. I only imported the server certificate, no the
>> >> others
>> >> >> >>>> in chain
>> >> >> >>>>
>> >> >> >>>> As I don't know how the underlying certificate validation is
>> >> performed
>> >> >> >>>> , I don't know if this behaviour is caused by default settings
>> in
>> >> CXF
>> >> >> >>>> or another reason.
>> >> >> >>>>
>> >> >> >>>> Regards
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>>
>> >> >> >>>>> Colm.
>> >> >> >>>>>
>> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >> >> >>>>> <de...@gmail.com>
>> >> >> >>>>> wrote:
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
>> >> coheigea@apache.org
>> >> >> >:
>> >> >> >>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the
>> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
>> specify a
>> >> key
>> >> >> >>>>>>> for
>> >> >> >>>>>>> client authentication. "trustManagers" is used to verify
>> trust
>> >> in
>> >> >> the
>> >> >> >>>>>>> server's cert. As you have no "trustManagers" configuration
>> >> here, I
>> >> >> >>>>>>> guess
>> >> >> >>>>>>> it is falling back on the default JVM settings
>> >> >> >>>>>>> (javax.net.ssl.trustStore)
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>>
>> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >> >> >>>>>>
>> >> >> >>>>>> <sec:trustManagers>
>> >> >> >>>>>> <sec:keyStore type="JKS" password="*******"
>> >> >> >>>>>> resource="truststore.jks"/>
>> >> >> >>>>>> </sec:trustManagers>
>> >> >> >>>>>> <sec:cipherSuitesFilter>
>> >> >> >>>>>>
>> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> >> >> implementation )
>> >> >> >>>>>> uses default JVM truststore for checking certificates ?
>> >> >> >>>>>>
>> >> >> >>>>>> Thanks
>> >> >> >>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>>> Colm.
>> >> >> >>>>>>>
>> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >> >> >>>>>>> <de...@gmail.com>
>> >> >> >>>>>>> wrote:
>> >> >> >>>>>>>
>> >> >> >>>>>>>> Hello:
>> >> >> >>>>>>>>
>> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
>> understand
>> >> why
>> >> >> my
>> >> >> >>>>>>>> client works.
>> >> >> >>>>>>>>
>> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL
>> /TLS)
>> >> >> >>>>>>>> This is my settings:
>> >> >> >>>>>>>>
>> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
>> >> >> >>>>>>>> <http-conf:tlsClientParameters>
>> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> >> >>>>>>>> resource="truststore.jks"/>
>> >> >> >>>>>>>> </sec:keyManagers>
>> >> >> >>>>>>>>
>> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
>> >> >> >>>>>>>> And it works fine.
>> >> >> >>>>>>>>
>> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
>> >> godaddy.com)
>> >> >> ,
>> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate from
>> >> godaddy
>> >> >> >>>>>>>> Why does my client trust in the server certificate ?
>> >> >> >>>>>>>> Is not performed some Certification Path Validation
>> process ?
>> >> >> >>>>>>>>
>> >> >> >>>>>>>> Thanks and regards
>> >> >> >>>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>>>
>> >> >> >>>>>>> --
>> >> >> >>>>>>> Colm O hEigeartaigh
>> >> >> >>>>>>>
>> >> >> >>>>>>> Talend Community Coder
>> >> >> >>>>>>> http://coders.talend.com
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>>
>> >> >> >>>>> --
>> >> >> >>>>> Colm O hEigeartaigh
>> >> >> >>>>>
>> >> >> >>>>> Talend Community Coder
>> >> >> >>>>> http://coders.talend.com
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>> Sergey Beryozkin
>> >> >> >>>
>> >> >> >>> Talend Community Coders
>> >> >> >>> http://coders.talend.com/
>> >> >> >>>
>> >> >> >>> Blog: http://sberyozkin.blogspot.com
>> >> >> >
>> >> >> >
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
What is the concept of a "truststore" other than a collection of trusted
certificates? If you don't trust the certificate then don't put it in
there... :-)
Colm.
On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> > No, if the certificate itself is in the truststore then it is deemed to
> be
> > trusted - the CA certificate does not need to be in there as well.
> >
> > Colm.
>
>
> Thanks.
> Is this the standard behaviour in JSSE ?
> I think that it should be validated all CA in the chain, to be sure
> the certificate is signed by trusted CA
>
>
> >
> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >> > I did a quick test using CXF's WebClient doing a "GET" on
> >> > https://www.google.com. It works fine when you don't specify any
> >> > TLSClientParameters as expected, as it picks up the default cacerts.
> >> > However, when I added the following it fails (also as expected):
> >> >
> >> > <http:conduit name="https://.*">
> >> > <http:tlsClientParameters disableCNCheck="true">
> >> > <sec:trustManagers>
> >> > <sec:keyStore type="jks" password="cspass"
> >> > resource="clientstore.jks"/>
> >> > </sec:trustManagers>
> >> > </http:tlsClientParameters>
> >> > </http:conduit>
> >> >
> >> > Colm.
> >>
> >> OK. That's right.
> >> But , if you import Google certificate into clientstore.jks but you
> >> don't import its CA certificate ( GeoTrust CA , in this case ), should
> >> it fail ? This is my question
> >> I don't know what is the validation path that JSSE follows
> >>
> >> Regards
> >>
> >>
> >>
> >> >
> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
> >> demablogia@gmail.com>
> >> > wrote:
> >> >
> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> >> >> > What I meant is that you do use a self signed cert to sign a
> >> previously
> >> >> > generated certificate but do not import this self signed cert into
> the
> >> >> > truststore which would emulate the same situation you have now
> without
> >> >> > having to provide a test where well known providers sign a given
> >> server
> >> >> > certificate.
> >> >>
> >> >> OK
> >> >> I'll try it
> >> >>
> >> >> Thanks
> >> >>
> >> >> >
> >> >> > Sergey
> >> >> >
> >> >> >
> >> >> >
> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >> >> >>
> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com
> >:
> >> >> >>>
> >> >> >>> Hi
> >> >> >>>
> >> >> >>> I guess this is what Colm is implying, that the actual problem
> that
> >> it
> >> >> >>> does
> >> >> >>> work.
> >> >> >>> Can it be reproduced by a given server certificate with a
> >> self-signed
> >> >> >>> certificate validating it ?
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it
> .
> >> >> >>
> >> >> >> With a self signed certificate , the behaviour also is the same
> >> >> >> But that makes sense ( for me ) , because your CA is yourself, so
> you
> >> >> >> could trust on it ( if the certificate is imported into your
> keystore
> >> >> >> )
> >> >> >>
> >> >> >> Regards
> >> >> >>
> >> >> >>
> >> >> >>>
> >> >> >>> Cheers, Sergey
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
> >> coheigea@apache.org>:
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> It does, but only if no truststore has been configured in CXF.
> Do
> >> you
> >> >> >>>>> have a
> >> >> >>>>> test-case that reproduces this problem?
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> Thanks, not really
> >> >> >>>> Indeed, it's not a problem because my client works fine , but I
> >> cannot
> >> >> >>>> understand why. I only imported the server certificate, no the
> >> others
> >> >> >>>> in chain
> >> >> >>>>
> >> >> >>>> As I don't know how the underlying certificate validation is
> >> performed
> >> >> >>>> , I don't know if this behaviour is caused by default settings
> in
> >> CXF
> >> >> >>>> or another reason.
> >> >> >>>>
> >> >> >>>> Regards
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>>
> >> >> >>>>> Colm.
> >> >> >>>>>
> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >> >> >>>>> <de...@gmail.com>
> >> >> >>>>> wrote:
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
> >> coheigea@apache.org
> >> >> >:
> >> >> >>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the
> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
> specify a
> >> key
> >> >> >>>>>>> for
> >> >> >>>>>>> client authentication. "trustManagers" is used to verify
> trust
> >> in
> >> >> the
> >> >> >>>>>>> server's cert. As you have no "trustManagers" configuration
> >> here, I
> >> >> >>>>>>> guess
> >> >> >>>>>>> it is falling back on the default JVM settings
> >> >> >>>>>>> (javax.net.ssl.trustStore)
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >> >> >>>>>>
> >> >> >>>>>> <sec:trustManagers>
> >> >> >>>>>> <sec:keyStore type="JKS" password="*******"
> >> >> >>>>>> resource="truststore.jks"/>
> >> >> >>>>>> </sec:trustManagers>
> >> >> >>>>>> <sec:cipherSuitesFilter>
> >> >> >>>>>>
> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> >> >> implementation )
> >> >> >>>>>> uses default JVM truststore for checking certificates ?
> >> >> >>>>>>
> >> >> >>>>>> Thanks
> >> >> >>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>> Colm.
> >> >> >>>>>>>
> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
> >> >> >>>>>>> <de...@gmail.com>
> >> >> >>>>>>> wrote:
> >> >> >>>>>>>
> >> >> >>>>>>>> Hello:
> >> >> >>>>>>>>
> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
> understand
> >> why
> >> >> my
> >> >> >>>>>>>> client works.
> >> >> >>>>>>>>
> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL
> /TLS)
> >> >> >>>>>>>> This is my settings:
> >> >> >>>>>>>>
> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
> >> >> >>>>>>>> <http-conf:tlsClientParameters>
> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
> >> >> >>>>>>>> resource="truststore.jks"/>
> >> >> >>>>>>>> </sec:keyManagers>
> >> >> >>>>>>>>
> >> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
> >> >> >>>>>>>> And it works fine.
> >> >> >>>>>>>>
> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
> >> godaddy.com)
> >> >> ,
> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate from
> >> godaddy
> >> >> >>>>>>>> Why does my client trust in the server certificate ?
> >> >> >>>>>>>> Is not performed some Certification Path Validation
> process ?
> >> >> >>>>>>>>
> >> >> >>>>>>>> Thanks and regards
> >> >> >>>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>> --
> >> >> >>>>>>> Colm O hEigeartaigh
> >> >> >>>>>>>
> >> >> >>>>>>> Talend Community Coder
> >> >> >>>>>>> http://coders.talend.com
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> --
> >> >> >>>>> Colm O hEigeartaigh
> >> >> >>>>>
> >> >> >>>>> Talend Community Coder
> >> >> >>>>> http://coders.talend.com
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> --
> >> >> >>> Sergey Beryozkin
> >> >> >>>
> >> >> >>> Talend Community Coders
> >> >> >>> http://coders.talend.com/
> >> >> >>>
> >> >> >>> Blog: http://sberyozkin.blogspot.com
> >> >> >
> >> >> >
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> No, if the certificate itself is in the truststore then it is deemed to be
> trusted - the CA certificate does not need to be in there as well.
>
> Colm.
Thanks.
Is this the standard behaviour in JSSE ?
I think that it should be validated all CA in the chain, to be sure
the certificate is signed by trusted CA
>
> On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> > I did a quick test using CXF's WebClient doing a "GET" on
>> > https://www.google.com. It works fine when you don't specify any
>> > TLSClientParameters as expected, as it picks up the default cacerts.
>> > However, when I added the following it fails (also as expected):
>> >
>> > <http:conduit name="https://.*">
>> > <http:tlsClientParameters disableCNCheck="true">
>> > <sec:trustManagers>
>> > <sec:keyStore type="jks" password="cspass"
>> > resource="clientstore.jks"/>
>> > </sec:trustManagers>
>> > </http:tlsClientParameters>
>> > </http:conduit>
>> >
>> > Colm.
>>
>> OK. That's right.
>> But , if you import Google certificate into clientstore.jks but you
>> don't import its CA certificate ( GeoTrust CA , in this case ), should
>> it fail ? This is my question
>> I don't know what is the validation path that JSSE follows
>>
>> Regards
>>
>>
>>
>> >
>> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
>> demablogia@gmail.com>
>> > wrote:
>> >
>> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>> >> > What I meant is that you do use a self signed cert to sign a
>> previously
>> >> > generated certificate but do not import this self signed cert into the
>> >> > truststore which would emulate the same situation you have now without
>> >> > having to provide a test where well known providers sign a given
>> server
>> >> > certificate.
>> >>
>> >> OK
>> >> I'll try it
>> >>
>> >> Thanks
>> >>
>> >> >
>> >> > Sergey
>> >> >
>> >> >
>> >> >
>> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >> >>
>> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>> >> >>>
>> >> >>> Hi
>> >> >>>
>> >> >>> I guess this is what Colm is implying, that the actual problem that
>> it
>> >> >>> does
>> >> >>> work.
>> >> >>> Can it be reproduced by a given server certificate with a
>> self-signed
>> >> >>> certificate validating it ?
>> >> >>
>> >> >>
>> >> >>
>> >> >> Well, I don't have a testcase right now. I'll try to reproduce it .
>> >> >>
>> >> >> With a self signed certificate , the behaviour also is the same
>> >> >> But that makes sense ( for me ) , because your CA is yourself, so you
>> >> >> could trust on it ( if the certificate is imported into your keystore
>> >> >> )
>> >> >>
>> >> >> Regards
>> >> >>
>> >> >>
>> >> >>>
>> >> >>> Cheers, Sergey
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >> >>>>
>> >> >>>>
>> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
>> coheigea@apache.org>:
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> It does, but only if no truststore has been configured in CXF. Do
>> you
>> >> >>>>> have a
>> >> >>>>> test-case that reproduces this problem?
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> Thanks, not really
>> >> >>>> Indeed, it's not a problem because my client works fine , but I
>> cannot
>> >> >>>> understand why. I only imported the server certificate, no the
>> others
>> >> >>>> in chain
>> >> >>>>
>> >> >>>> As I don't know how the underlying certificate validation is
>> performed
>> >> >>>> , I don't know if this behaviour is caused by default settings in
>> CXF
>> >> >>>> or another reason.
>> >> >>>>
>> >> >>>> Regards
>> >> >>>>
>> >> >>>>
>> >> >>>>>
>> >> >>>>> Colm.
>> >> >>>>>
>> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >> >>>>> <de...@gmail.com>
>> >> >>>>> wrote:
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
>> coheigea@apache.org
>> >> >:
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the
>> >> >>>>>>> configuration. "keyManagers" is used when you need to specify a
>> key
>> >> >>>>>>> for
>> >> >>>>>>> client authentication. "trustManagers" is used to verify trust
>> in
>> >> the
>> >> >>>>>>> server's cert. As you have no "trustManagers" configuration
>> here, I
>> >> >>>>>>> guess
>> >> >>>>>>> it is falling back on the default JVM settings
>> >> >>>>>>> (javax.net.ssl.trustStore)
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >> >>>>>>
>> >> >>>>>> <sec:trustManagers>
>> >> >>>>>> <sec:keyStore type="JKS" password="*******"
>> >> >>>>>> resource="truststore.jks"/>
>> >> >>>>>> </sec:trustManagers>
>> >> >>>>>> <sec:cipherSuitesFilter>
>> >> >>>>>>
>> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> >> implementation )
>> >> >>>>>> uses default JVM truststore for checking certificates ?
>> >> >>>>>>
>> >> >>>>>> Thanks
>> >> >>>>>>
>> >> >>>>>>>
>> >> >>>>>>> Colm.
>> >> >>>>>>>
>> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >> >>>>>>> <de...@gmail.com>
>> >> >>>>>>> wrote:
>> >> >>>>>>>
>> >> >>>>>>>> Hello:
>> >> >>>>>>>>
>> >> >>>>>>>> Maybe this question a bit off topic , but I try to understand
>> why
>> >> my
>> >> >>>>>>>> client works.
>> >> >>>>>>>>
>> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>> >> >>>>>>>> This is my settings:
>> >> >>>>>>>>
>> >> >>>>>>>> <http-conf:conduit name="https://.*">
>> >> >>>>>>>> <http-conf:tlsClientParameters>
>> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> >>>>>>>> resource="truststore.jks"/>
>> >> >>>>>>>> </sec:keyManagers>
>> >> >>>>>>>>
>> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
>> >> >>>>>>>> And it works fine.
>> >> >>>>>>>>
>> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
>> godaddy.com)
>> >> ,
>> >> >>>>>>>> and ( I think ) I don't have imported any certificate from
>> godaddy
>> >> >>>>>>>> Why does my client trust in the server certificate ?
>> >> >>>>>>>> Is not performed some Certification Path Validation process ?
>> >> >>>>>>>>
>> >> >>>>>>>> Thanks and regards
>> >> >>>>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> --
>> >> >>>>>>> Colm O hEigeartaigh
>> >> >>>>>>>
>> >> >>>>>>> Talend Community Coder
>> >> >>>>>>> http://coders.talend.com
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> --
>> >> >>>>> Colm O hEigeartaigh
>> >> >>>>>
>> >> >>>>> Talend Community Coder
>> >> >>>>> http://coders.talend.com
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> Sergey Beryozkin
>> >> >>>
>> >> >>> Talend Community Coders
>> >> >>> http://coders.talend.com/
>> >> >>>
>> >> >>> Blog: http://sberyozkin.blogspot.com
>> >> >
>> >> >
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
No, if the certificate itself is in the truststore then it is deemed to be
trusted - the CA certificate does not need to be in there as well.
Colm.
On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> > I did a quick test using CXF's WebClient doing a "GET" on
> > https://www.google.com. It works fine when you don't specify any
> > TLSClientParameters as expected, as it picks up the default cacerts.
> > However, when I added the following it fails (also as expected):
> >
> > <http:conduit name="https://.*">
> > <http:tlsClientParameters disableCNCheck="true">
> > <sec:trustManagers>
> > <sec:keyStore type="jks" password="cspass"
> > resource="clientstore.jks"/>
> > </sec:trustManagers>
> > </http:tlsClientParameters>
> > </http:conduit>
> >
> > Colm.
>
> OK. That's right.
> But , if you import Google certificate into clientstore.jks but you
> don't import its CA certificate ( GeoTrust CA , in this case ), should
> it fail ? This is my question
> I don't know what is the validation path that JSSE follows
>
> Regards
>
>
>
> >
> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> >> > What I meant is that you do use a self signed cert to sign a
> previously
> >> > generated certificate but do not import this self signed cert into the
> >> > truststore which would emulate the same situation you have now without
> >> > having to provide a test where well known providers sign a given
> server
> >> > certificate.
> >>
> >> OK
> >> I'll try it
> >>
> >> Thanks
> >>
> >> >
> >> > Sergey
> >> >
> >> >
> >> >
> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >> >>
> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> >> >>>
> >> >>> Hi
> >> >>>
> >> >>> I guess this is what Colm is implying, that the actual problem that
> it
> >> >>> does
> >> >>> work.
> >> >>> Can it be reproduced by a given server certificate with a
> self-signed
> >> >>> certificate validating it ?
> >> >>
> >> >>
> >> >>
> >> >> Well, I don't have a testcase right now. I'll try to reproduce it .
> >> >>
> >> >> With a self signed certificate , the behaviour also is the same
> >> >> But that makes sense ( for me ) , because your CA is yourself, so you
> >> >> could trust on it ( if the certificate is imported into your keystore
> >> >> )
> >> >>
> >> >> Regards
> >> >>
> >> >>
> >> >>>
> >> >>> Cheers, Sergey
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >> >>>>
> >> >>>>
> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
> coheigea@apache.org>:
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> It does, but only if no truststore has been configured in CXF. Do
> you
> >> >>>>> have a
> >> >>>>> test-case that reproduces this problem?
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> Thanks, not really
> >> >>>> Indeed, it's not a problem because my client works fine , but I
> cannot
> >> >>>> understand why. I only imported the server certificate, no the
> others
> >> >>>> in chain
> >> >>>>
> >> >>>> As I don't know how the underlying certificate validation is
> performed
> >> >>>> , I don't know if this behaviour is caused by default settings in
> CXF
> >> >>>> or another reason.
> >> >>>>
> >> >>>> Regards
> >> >>>>
> >> >>>>
> >> >>>>>
> >> >>>>> Colm.
> >> >>>>>
> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >> >>>>> <de...@gmail.com>
> >> >>>>> wrote:
> >> >>>>>>
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
> coheigea@apache.org
> >> >:
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the
> >> >>>>>>> configuration. "keyManagers" is used when you need to specify a
> key
> >> >>>>>>> for
> >> >>>>>>> client authentication. "trustManagers" is used to verify trust
> in
> >> the
> >> >>>>>>> server's cert. As you have no "trustManagers" configuration
> here, I
> >> >>>>>>> guess
> >> >>>>>>> it is falling back on the default JVM settings
> >> >>>>>>> (javax.net.ssl.trustStore)
> >> >>>>>>
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >> >>>>>>
> >> >>>>>> <sec:trustManagers>
> >> >>>>>> <sec:keyStore type="JKS" password="*******"
> >> >>>>>> resource="truststore.jks"/>
> >> >>>>>> </sec:trustManagers>
> >> >>>>>> <sec:cipherSuitesFilter>
> >> >>>>>>
> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> >> implementation )
> >> >>>>>> uses default JVM truststore for checking certificates ?
> >> >>>>>>
> >> >>>>>> Thanks
> >> >>>>>>
> >> >>>>>>>
> >> >>>>>>> Colm.
> >> >>>>>>>
> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
> >> >>>>>>> <de...@gmail.com>
> >> >>>>>>> wrote:
> >> >>>>>>>
> >> >>>>>>>> Hello:
> >> >>>>>>>>
> >> >>>>>>>> Maybe this question a bit off topic , but I try to understand
> why
> >> my
> >> >>>>>>>> client works.
> >> >>>>>>>>
> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
> >> >>>>>>>> This is my settings:
> >> >>>>>>>>
> >> >>>>>>>> <http-conf:conduit name="https://.*">
> >> >>>>>>>> <http-conf:tlsClientParameters>
> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
> >> >>>>>>>> resource="truststore.jks"/>
> >> >>>>>>>> </sec:keyManagers>
> >> >>>>>>>>
> >> >>>>>>>> I've imported SSL server certificate into truststore.jks
> >> >>>>>>>> And it works fine.
> >> >>>>>>>>
> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
> godaddy.com)
> >> ,
> >> >>>>>>>> and ( I think ) I don't have imported any certificate from
> godaddy
> >> >>>>>>>> Why does my client trust in the server certificate ?
> >> >>>>>>>> Is not performed some Certification Path Validation process ?
> >> >>>>>>>>
> >> >>>>>>>> Thanks and regards
> >> >>>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> --
> >> >>>>>>> Colm O hEigeartaigh
> >> >>>>>>>
> >> >>>>>>> Talend Community Coder
> >> >>>>>>> http://coders.talend.com
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> Colm O hEigeartaigh
> >> >>>>>
> >> >>>>> Talend Community Coder
> >> >>>>> http://coders.talend.com
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Sergey Beryozkin
> >> >>>
> >> >>> Talend Community Coders
> >> >>> http://coders.talend.com/
> >> >>>
> >> >>> Blog: http://sberyozkin.blogspot.com
> >> >
> >> >
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> I did a quick test using CXF's WebClient doing a "GET" on
> https://www.google.com. It works fine when you don't specify any
> TLSClientParameters as expected, as it picks up the default cacerts.
> However, when I added the following it fails (also as expected):
>
> <http:conduit name="https://.*">
> <http:tlsClientParameters disableCNCheck="true">
> <sec:trustManagers>
> <sec:keyStore type="jks" password="cspass"
> resource="clientstore.jks"/>
> </sec:trustManagers>
> </http:tlsClientParameters>
> </http:conduit>
>
> Colm.
OK. That's right.
But , if you import Google certificate into clientstore.jks but you
don't import its CA certificate ( GeoTrust CA , in this case ), should
it fail ? This is my question
I don't know what is the validation path that JSSE follows
Regards
>
> On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>> > What I meant is that you do use a self signed cert to sign a previously
>> > generated certificate but do not import this self signed cert into the
>> > truststore which would emulate the same situation you have now without
>> > having to provide a test where well known providers sign a given server
>> > certificate.
>>
>> OK
>> I'll try it
>>
>> Thanks
>>
>> >
>> > Sergey
>> >
>> >
>> >
>> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >>
>> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>> >>>
>> >>> Hi
>> >>>
>> >>> I guess this is what Colm is implying, that the actual problem that it
>> >>> does
>> >>> work.
>> >>> Can it be reproduced by a given server certificate with a self-signed
>> >>> certificate validating it ?
>> >>
>> >>
>> >>
>> >> Well, I don't have a testcase right now. I'll try to reproduce it .
>> >>
>> >> With a self signed certificate , the behaviour also is the same
>> >> But that makes sense ( for me ) , because your CA is yourself, so you
>> >> could trust on it ( if the certificate is imported into your keystore
>> >> )
>> >>
>> >> Regards
>> >>
>> >>
>> >>>
>> >>> Cheers, Sergey
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >>>>
>> >>>>
>> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> It does, but only if no truststore has been configured in CXF. Do you
>> >>>>> have a
>> >>>>> test-case that reproduces this problem?
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks, not really
>> >>>> Indeed, it's not a problem because my client works fine , but I cannot
>> >>>> understand why. I only imported the server certificate, no the others
>> >>>> in chain
>> >>>>
>> >>>> As I don't know how the underlying certificate validation is performed
>> >>>> , I don't know if this behaviour is caused by default settings in CXF
>> >>>> or another reason.
>> >>>>
>> >>>> Regards
>> >>>>
>> >>>>
>> >>>>>
>> >>>>> Colm.
>> >>>>>
>> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >>>>> <de...@gmail.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
>> >:
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the
>> >>>>>>> configuration. "keyManagers" is used when you need to specify a key
>> >>>>>>> for
>> >>>>>>> client authentication. "trustManagers" is used to verify trust in
>> the
>> >>>>>>> server's cert. As you have no "trustManagers" configuration here, I
>> >>>>>>> guess
>> >>>>>>> it is falling back on the default JVM settings
>> >>>>>>> (javax.net.ssl.trustStore)
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >>>>>>
>> >>>>>> <sec:trustManagers>
>> >>>>>> <sec:keyStore type="JKS" password="*******"
>> >>>>>> resource="truststore.jks"/>
>> >>>>>> </sec:trustManagers>
>> >>>>>> <sec:cipherSuitesFilter>
>> >>>>>>
>> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> implementation )
>> >>>>>> uses default JVM truststore for checking certificates ?
>> >>>>>>
>> >>>>>> Thanks
>> >>>>>>
>> >>>>>>>
>> >>>>>>> Colm.
>> >>>>>>>
>> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >>>>>>> <de...@gmail.com>
>> >>>>>>> wrote:
>> >>>>>>>
>> >>>>>>>> Hello:
>> >>>>>>>>
>> >>>>>>>> Maybe this question a bit off topic , but I try to understand why
>> my
>> >>>>>>>> client works.
>> >>>>>>>>
>> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>> >>>>>>>> This is my settings:
>> >>>>>>>>
>> >>>>>>>> <http-conf:conduit name="https://.*">
>> >>>>>>>> <http-conf:tlsClientParameters>
>> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >>>>>>>> resource="truststore.jks"/>
>> >>>>>>>> </sec:keyManagers>
>> >>>>>>>>
>> >>>>>>>> I've imported SSL server certificate into truststore.jks
>> >>>>>>>> And it works fine.
>> >>>>>>>>
>> >>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com)
>> ,
>> >>>>>>>> and ( I think ) I don't have imported any certificate from godaddy
>> >>>>>>>> Why does my client trust in the server certificate ?
>> >>>>>>>> Is not performed some Certification Path Validation process ?
>> >>>>>>>>
>> >>>>>>>> Thanks and regards
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Colm O hEigeartaigh
>> >>>>>>>
>> >>>>>>> Talend Community Coder
>> >>>>>>> http://coders.talend.com
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Colm O hEigeartaigh
>> >>>>>
>> >>>>> Talend Community Coder
>> >>>>> http://coders.talend.com
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Sergey Beryozkin
>> >>>
>> >>> Talend Community Coders
>> >>> http://coders.talend.com/
>> >>>
>> >>> Blog: http://sberyozkin.blogspot.com
>> >
>> >
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
I did a quick test using CXF's WebClient doing a "GET" on
https://www.google.com. It works fine when you don't specify any
TLSClientParameters as expected, as it picks up the default cacerts.
However, when I added the following it fails (also as expected):
<http:conduit name="https://.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="jks" password="cspass"
resource="clientstore.jks"/>
</sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
Colm.
On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> > What I meant is that you do use a self signed cert to sign a previously
> > generated certificate but do not import this self signed cert into the
> > truststore which would emulate the same situation you have now without
> > having to provide a test where well known providers sign a given server
> > certificate.
>
> OK
> I'll try it
>
> Thanks
>
> >
> > Sergey
> >
> >
> >
> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >>
> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> >>>
> >>> Hi
> >>>
> >>> I guess this is what Colm is implying, that the actual problem that it
> >>> does
> >>> work.
> >>> Can it be reproduced by a given server certificate with a self-signed
> >>> certificate validating it ?
> >>
> >>
> >>
> >> Well, I don't have a testcase right now. I'll try to reproduce it .
> >>
> >> With a self signed certificate , the behaviour also is the same
> >> But that makes sense ( for me ) , because your CA is yourself, so you
> >> could trust on it ( if the certificate is imported into your keystore
> >> )
> >>
> >> Regards
> >>
> >>
> >>>
> >>> Cheers, Sergey
> >>>
> >>>
> >>>
> >>>
> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >>>>
> >>>>
> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >>>>>
> >>>>>
> >>>>>
> >>>>> It does, but only if no truststore has been configured in CXF. Do you
> >>>>> have a
> >>>>> test-case that reproduces this problem?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Thanks, not really
> >>>> Indeed, it's not a problem because my client works fine , but I cannot
> >>>> understand why. I only imported the server certificate, no the others
> >>>> in chain
> >>>>
> >>>> As I don't know how the underlying certificate validation is performed
> >>>> , I don't know if this behaviour is caused by default settings in CXF
> >>>> or another reason.
> >>>>
> >>>> Regards
> >>>>
> >>>>
> >>>>>
> >>>>> Colm.
> >>>>>
> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >>>>> <de...@gmail.com>
> >>>>> wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
> >:
> >>>>>>>
> >>>>>>>
> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the
> >>>>>>> configuration. "keyManagers" is used when you need to specify a key
> >>>>>>> for
> >>>>>>> client authentication. "trustManagers" is used to verify trust in
> the
> >>>>>>> server's cert. As you have no "trustManagers" configuration here, I
> >>>>>>> guess
> >>>>>>> it is falling back on the default JVM settings
> >>>>>>> (javax.net.ssl.trustStore)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >>>>>>
> >>>>>> <sec:trustManagers>
> >>>>>> <sec:keyStore type="JKS" password="*******"
> >>>>>> resource="truststore.jks"/>
> >>>>>> </sec:trustManagers>
> >>>>>> <sec:cipherSuitesFilter>
> >>>>>>
> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> implementation )
> >>>>>> uses default JVM truststore for checking certificates ?
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>>>
> >>>>>>> Colm.
> >>>>>>>
> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
> >>>>>>> <de...@gmail.com>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hello:
> >>>>>>>>
> >>>>>>>> Maybe this question a bit off topic , but I try to understand why
> my
> >>>>>>>> client works.
> >>>>>>>>
> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
> >>>>>>>> This is my settings:
> >>>>>>>>
> >>>>>>>> <http-conf:conduit name="https://.*">
> >>>>>>>> <http-conf:tlsClientParameters>
> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
> >>>>>>>> resource="truststore.jks"/>
> >>>>>>>> </sec:keyManagers>
> >>>>>>>>
> >>>>>>>> I've imported SSL server certificate into truststore.jks
> >>>>>>>> And it works fine.
> >>>>>>>>
> >>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com)
> ,
> >>>>>>>> and ( I think ) I don't have imported any certificate from godaddy
> >>>>>>>> Why does my client trust in the server certificate ?
> >>>>>>>> Is not performed some Certification Path Validation process ?
> >>>>>>>>
> >>>>>>>> Thanks and regards
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Colm O hEigeartaigh
> >>>>>>>
> >>>>>>> Talend Community Coder
> >>>>>>> http://coders.talend.com
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Colm O hEigeartaigh
> >>>>>
> >>>>> Talend Community Coder
> >>>>> http://coders.talend.com
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Sergey Beryozkin
> >>>
> >>> Talend Community Coders
> >>> http://coders.talend.com/
> >>>
> >>> Blog: http://sberyozkin.blogspot.com
> >
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> What I meant is that you do use a self signed cert to sign a previously
> generated certificate but do not import this self signed cert into the
> truststore which would emulate the same situation you have now without
> having to provide a test where well known providers sign a given server
> certificate.
OK
I'll try it
Thanks
>
> Sergey
>
>
>
> On 26/02/15 18:51, Jose María Zaragoza wrote:
>>
>> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>>>
>>> Hi
>>>
>>> I guess this is what Colm is implying, that the actual problem that it
>>> does
>>> work.
>>> Can it be reproduced by a given server certificate with a self-signed
>>> certificate validating it ?
>>
>>
>>
>> Well, I don't have a testcase right now. I'll try to reproduce it .
>>
>> With a self signed certificate , the behaviour also is the same
>> But that makes sense ( for me ) , because your CA is yourself, so you
>> could trust on it ( if the certificate is imported into your keystore
>> )
>>
>> Regards
>>
>>
>>>
>>> Cheers, Sergey
>>>
>>>
>>>
>>>
>>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>>>>
>>>>
>>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>>>
>>>>>
>>>>>
>>>>> It does, but only if no truststore has been configured in CXF. Do you
>>>>> have a
>>>>> test-case that reproduces this problem?
>>>>
>>>>
>>>>
>>>>
>>>> Thanks, not really
>>>> Indeed, it's not a problem because my client works fine , but I cannot
>>>> understand why. I only imported the server certificate, no the others
>>>> in chain
>>>>
>>>> As I don't know how the underlying certificate validation is performed
>>>> , I don't know if this behaviour is caused by default settings in CXF
>>>> or another reason.
>>>>
>>>> Regards
>>>>
>>>>
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>>>>> <de...@gmail.com>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>>>>>
>>>>>>>
>>>>>>> You are using "keyManagers" instead of "trustManagers" in the
>>>>>>> configuration. "keyManagers" is used when you need to specify a key
>>>>>>> for
>>>>>>> client authentication. "trustManagers" is used to verify trust in the
>>>>>>> server's cert. As you have no "trustManagers" configuration here, I
>>>>>>> guess
>>>>>>> it is falling back on the default JVM settings
>>>>>>> (javax.net.ssl.trustStore)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Sorry, it was a typo. I'm using trustManagers
>>>>>>
>>>>>> <sec:trustManagers>
>>>>>> <sec:keyStore type="JKS" password="*******"
>>>>>> resource="truststore.jks"/>
>>>>>> </sec:trustManagers>
>>>>>> <sec:cipherSuitesFilter>
>>>>>>
>>>>>> Do you know if JSSE ( I guess it's the underlying TLS implementation )
>>>>>> uses default JVM truststore for checking certificates ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>>>>>>> <de...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello:
>>>>>>>>
>>>>>>>> Maybe this question a bit off topic , but I try to understand why my
>>>>>>>> client works.
>>>>>>>>
>>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>>>>>>>> This is my settings:
>>>>>>>>
>>>>>>>> <http-conf:conduit name="https://.*">
>>>>>>>> <http-conf:tlsClientParameters>
>>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>>>>>>>> resource="truststore.jks"/>
>>>>>>>> </sec:keyManagers>
>>>>>>>>
>>>>>>>> I've imported SSL server certificate into truststore.jks
>>>>>>>> And it works fine.
>>>>>>>>
>>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) ,
>>>>>>>> and ( I think ) I don't have imported any certificate from godaddy
>>>>>>>> Why does my client trust in the server certificate ?
>>>>>>>> Is not performed some Certification Path Validation process ?
>>>>>>>>
>>>>>>>> Thanks and regards
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Colm O hEigeartaigh
>>>>>>>
>>>>>>> Talend Community Coder
>>>>>>> http://coders.talend.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>
>>>
>>>
>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>> Blog: http://sberyozkin.blogspot.com
>
>
Re: Check SSL server certificate
Posted by Sergey Beryozkin <sb...@gmail.com>.
What I meant is that you do use a self signed cert to sign a previously
generated certificate but do not import this self signed cert into the
truststore which would emulate the same situation you have now without
having to provide a test where well known providers sign a given server
certificate.
Sergey
On 26/02/15 18:51, Jose María Zaragoza wrote:
> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
>> Hi
>>
>> I guess this is what Colm is implying, that the actual problem that it does
>> work.
>> Can it be reproduced by a given server certificate with a self-signed
>> certificate validating it ?
>
>
> Well, I don't have a testcase right now. I'll try to reproduce it .
>
> With a self signed certificate , the behaviour also is the same
> But that makes sense ( for me ) , because your CA is yourself, so you
> could trust on it ( if the certificate is imported into your keystore
> )
>
> Regards
>
>
>>
>> Cheers, Sergey
>>
>>
>>
>>
>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>>>
>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>>
>>>>
>>>> It does, but only if no truststore has been configured in CXF. Do you
>>>> have a
>>>> test-case that reproduces this problem?
>>>
>>>
>>>
>>> Thanks, not really
>>> Indeed, it's not a problem because my client works fine , but I cannot
>>> understand why. I only imported the server certificate, no the others
>>> in chain
>>>
>>> As I don't know how the underlying certificate validation is performed
>>> , I don't know if this behaviour is caused by default settings in CXF
>>> or another reason.
>>>
>>> Regards
>>>
>>>
>>>>
>>>> Colm.
>>>>
>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>>>> <de...@gmail.com>
>>>> wrote:
>>>>>
>>>>>
>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>>>>
>>>>>> You are using "keyManagers" instead of "trustManagers" in the
>>>>>> configuration. "keyManagers" is used when you need to specify a key for
>>>>>> client authentication. "trustManagers" is used to verify trust in the
>>>>>> server's cert. As you have no "trustManagers" configuration here, I
>>>>>> guess
>>>>>> it is falling back on the default JVM settings
>>>>>> (javax.net.ssl.trustStore)
>>>>>
>>>>>
>>>>> Sorry, it was a typo. I'm using trustManagers
>>>>>
>>>>> <sec:trustManagers>
>>>>> <sec:keyStore type="JKS" password="*******"
>>>>> resource="truststore.jks"/>
>>>>> </sec:trustManagers>
>>>>> <sec:cipherSuitesFilter>
>>>>>
>>>>> Do you know if JSSE ( I guess it's the underlying TLS implementation )
>>>>> uses default JVM truststore for checking certificates ?
>>>>>
>>>>> Thanks
>>>>>
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>>>>>> <de...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello:
>>>>>>>
>>>>>>> Maybe this question a bit off topic , but I try to understand why my
>>>>>>> client works.
>>>>>>>
>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>>>>>>> This is my settings:
>>>>>>>
>>>>>>> <http-conf:conduit name="https://.*">
>>>>>>> <http-conf:tlsClientParameters>
>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>>>>>>> resource="truststore.jks"/>
>>>>>>> </sec:keyManagers>
>>>>>>>
>>>>>>> I've imported SSL server certificate into truststore.jks
>>>>>>> And it works fine.
>>>>>>>
>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) ,
>>>>>>> and ( I think ) I don't have imported any certificate from godaddy
>>>>>>> Why does my client trust in the server certificate ?
>>>>>>> Is not performed some Certification Path Validation process ?
>>>>>>>
>>>>>>> Thanks and regards
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Colm O hEigeartaigh
>>>>>>
>>>>>> Talend Community Coder
>>>>>> http://coders.talend.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>
>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sb...@gmail.com>:
> Hi
>
> I guess this is what Colm is implying, that the actual problem that it does
> work.
> Can it be reproduced by a given server certificate with a self-signed
> certificate validating it ?
Well, I don't have a testcase right now. I'll try to reproduce it .
With a self signed certificate , the behaviour also is the same
But that makes sense ( for me ) , because your CA is yourself, so you
could trust on it ( if the certificate is imported into your keystore
)
Regards
>
> Cheers, Sergey
>
>
>
>
> On 26/02/15 16:55, Jose María Zaragoza wrote:
>>
>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>
>>>
>>> It does, but only if no truststore has been configured in CXF. Do you
>>> have a
>>> test-case that reproduces this problem?
>>
>>
>>
>> Thanks, not really
>> Indeed, it's not a problem because my client works fine , but I cannot
>> understand why. I only imported the server certificate, no the others
>> in chain
>>
>> As I don't know how the underlying certificate validation is performed
>> , I don't know if this behaviour is caused by default settings in CXF
>> or another reason.
>>
>> Regards
>>
>>
>>>
>>> Colm.
>>>
>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>>> <de...@gmail.com>
>>> wrote:
>>>>
>>>>
>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>>>
>>>>> You are using "keyManagers" instead of "trustManagers" in the
>>>>> configuration. "keyManagers" is used when you need to specify a key for
>>>>> client authentication. "trustManagers" is used to verify trust in the
>>>>> server's cert. As you have no "trustManagers" configuration here, I
>>>>> guess
>>>>> it is falling back on the default JVM settings
>>>>> (javax.net.ssl.trustStore)
>>>>
>>>>
>>>> Sorry, it was a typo. I'm using trustManagers
>>>>
>>>> <sec:trustManagers>
>>>> <sec:keyStore type="JKS" password="*******"
>>>> resource="truststore.jks"/>
>>>> </sec:trustManagers>
>>>> <sec:cipherSuitesFilter>
>>>>
>>>> Do you know if JSSE ( I guess it's the underlying TLS implementation )
>>>> uses default JVM truststore for checking certificates ?
>>>>
>>>> Thanks
>>>>
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>>>>> <de...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello:
>>>>>>
>>>>>> Maybe this question a bit off topic , but I try to understand why my
>>>>>> client works.
>>>>>>
>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>>>>>> This is my settings:
>>>>>>
>>>>>> <http-conf:conduit name="https://.*">
>>>>>> <http-conf:tlsClientParameters>
>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>>>>>> resource="truststore.jks"/>
>>>>>> </sec:keyManagers>
>>>>>>
>>>>>> I've imported SSL server certificate into truststore.jks
>>>>>> And it works fine.
>>>>>>
>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) ,
>>>>>> and ( I think ) I don't have imported any certificate from godaddy
>>>>>> Why does my client trust in the server certificate ?
>>>>>> Is not performed some Certification Path Validation process ?
>>>>>>
>>>>>> Thanks and regards
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
Re: Check SSL server certificate
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
I guess this is what Colm is implying, that the actual problem that it
does work.
Can it be reproduced by a given server certificate with a self-signed
certificate validating it ?
Cheers, Sergey
On 26/02/15 16:55, Jose María Zaragoza wrote:
> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>
>> It does, but only if no truststore has been configured in CXF. Do you have a
>> test-case that reproduces this problem?
>
>
> Thanks, not really
> Indeed, it's not a problem because my client works fine , but I cannot
> understand why. I only imported the server certificate, no the others
> in chain
>
> As I don't know how the underlying certificate validation is performed
> , I don't know if this behaviour is caused by default settings in CXF
> or another reason.
>
> Regards
>
>
>>
>> Colm.
>>
>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza <de...@gmail.com>
>> wrote:
>>>
>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>>>> You are using "keyManagers" instead of "trustManagers" in the
>>>> configuration. "keyManagers" is used when you need to specify a key for
>>>> client authentication. "trustManagers" is used to verify trust in the
>>>> server's cert. As you have no "trustManagers" configuration here, I
>>>> guess
>>>> it is falling back on the default JVM settings
>>>> (javax.net.ssl.trustStore)
>>>
>>> Sorry, it was a typo. I'm using trustManagers
>>>
>>> <sec:trustManagers>
>>> <sec:keyStore type="JKS" password="*******"
>>> resource="truststore.jks"/>
>>> </sec:trustManagers>
>>> <sec:cipherSuitesFilter>
>>>
>>> Do you know if JSSE ( I guess it's the underlying TLS implementation )
>>> uses default JVM truststore for checking certificates ?
>>>
>>> Thanks
>>>
>>>>
>>>> Colm.
>>>>
>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>>>> <de...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello:
>>>>>
>>>>> Maybe this question a bit off topic , but I try to understand why my
>>>>> client works.
>>>>>
>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>>>>> This is my settings:
>>>>>
>>>>> <http-conf:conduit name="https://.*">
>>>>> <http-conf:tlsClientParameters>
>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>>>>> resource="truststore.jks"/>
>>>>> </sec:keyManagers>
>>>>>
>>>>> I've imported SSL server certificate into truststore.jks
>>>>> And it works fine.
>>>>>
>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) ,
>>>>> and ( I think ) I don't have imported any certificate from godaddy
>>>>> Why does my client trust in the server certificate ?
>>>>> Is not performed some Certification Path Validation process ?
>>>>>
>>>>> Thanks and regards
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>
> It does, but only if no truststore has been configured in CXF. Do you have a
> test-case that reproduces this problem?
Thanks, not really
Indeed, it's not a problem because my client works fine , but I cannot
understand why. I only imported the server certificate, no the others
in chain
As I don't know how the underlying certificate validation is performed
, I don't know if this behaviour is caused by default settings in CXF
or another reason.
Regards
>
> Colm.
>
> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>>
>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> > You are using "keyManagers" instead of "trustManagers" in the
>> > configuration. "keyManagers" is used when you need to specify a key for
>> > client authentication. "trustManagers" is used to verify trust in the
>> > server's cert. As you have no "trustManagers" configuration here, I
>> > guess
>> > it is falling back on the default JVM settings
>> > (javax.net.ssl.trustStore)
>>
>> Sorry, it was a typo. I'm using trustManagers
>>
>> <sec:trustManagers>
>> <sec:keyStore type="JKS" password="*******"
>> resource="truststore.jks"/>
>> </sec:trustManagers>
>> <sec:cipherSuitesFilter>
>>
>> Do you know if JSSE ( I guess it's the underlying TLS implementation )
>> uses default JVM truststore for checking certificates ?
>>
>> Thanks
>>
>> >
>> > Colm.
>> >
>> > On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> > <de...@gmail.com>
>> > wrote:
>> >
>> >> Hello:
>> >>
>> >> Maybe this question a bit off topic , but I try to understand why my
>> >> client works.
>> >>
>> >> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>> >> This is my settings:
>> >>
>> >> <http-conf:conduit name="https://.*">
>> >> <http-conf:tlsClientParameters>
>> >> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> resource="truststore.jks"/>
>> >> </sec:keyManagers>
>> >>
>> >> I've imported SSL server certificate into truststore.jks
>> >> And it works fine.
>> >>
>> >> But this certificate is signed by a CA chain ( from .godaddy.com) ,
>> >> and ( I think ) I don't have imported any certificate from godaddy
>> >> Why does my client trust in the server certificate ?
>> >> Is not performed some Certification Path Validation process ?
>> >>
>> >> Thanks and regards
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
It does, but only if no truststore has been configured in CXF. Do you have
a test-case that reproduces this problem?
Colm.
On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> > You are using "keyManagers" instead of "trustManagers" in the
> > configuration. "keyManagers" is used when you need to specify a key for
> > client authentication. "trustManagers" is used to verify trust in the
> > server's cert. As you have no "trustManagers" configuration here, I guess
> > it is falling back on the default JVM settings (javax.net.ssl.trustStore)
>
> Sorry, it was a typo. I'm using trustManagers
>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="*******"
> resource="truststore.jks"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
>
> Do you know if JSSE ( I guess it's the underlying TLS implementation )
> uses default JVM truststore for checking certificates ?
>
> Thanks
>
> >
> > Colm.
> >
> > On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> Hello:
> >>
> >> Maybe this question a bit off topic , but I try to understand why my
> >> client works.
> >>
> >> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
> >> This is my settings:
> >>
> >> <http-conf:conduit name="https://.*">
> >> <http-conf:tlsClientParameters>
> >> <sec:keyManagers keyPassword="xxxxxxxx">
> >> <sec:keyStore type="JKS" password="xxxxxxxx"
> >> resource="truststore.jks"/>
> >> </sec:keyManagers>
> >>
> >> I've imported SSL server certificate into truststore.jks
> >> And it works fine.
> >>
> >> But this certificate is signed by a CA chain ( from .godaddy.com) ,
> >> and ( I think ) I don't have imported any certificate from godaddy
> >> Why does my client trust in the server certificate ?
> >> Is not performed some Certification Path Validation process ?
> >>
> >> Thanks and regards
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Check SSL server certificate
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> You are using "keyManagers" instead of "trustManagers" in the
> configuration. "keyManagers" is used when you need to specify a key for
> client authentication. "trustManagers" is used to verify trust in the
> server's cert. As you have no "trustManagers" configuration here, I guess
> it is falling back on the default JVM settings (javax.net.ssl.trustStore)
Sorry, it was a typo. I'm using trustManagers
<sec:trustManagers>
<sec:keyStore type="JKS" password="*******"
resource="truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
Do you know if JSSE ( I guess it's the underlying TLS implementation )
uses default JVM truststore for checking certificates ?
Thanks
>
> Colm.
>
> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> Hello:
>>
>> Maybe this question a bit off topic , but I try to understand why my
>> client works.
>>
>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>> This is my settings:
>>
>> <http-conf:conduit name="https://.*">
>> <http-conf:tlsClientParameters>
>> <sec:keyManagers keyPassword="xxxxxxxx">
>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> resource="truststore.jks"/>
>> </sec:keyManagers>
>>
>> I've imported SSL server certificate into truststore.jks
>> And it works fine.
>>
>> But this certificate is signed by a CA chain ( from .godaddy.com) ,
>> and ( I think ) I don't have imported any certificate from godaddy
>> Why does my client trust in the server certificate ?
>> Is not performed some Certification Path Validation process ?
>>
>> Thanks and regards
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
You are using "keyManagers" instead of "trustManagers" in the
configuration. "keyManagers" is used when you need to specify a key for
client authentication. "trustManagers" is used to verify trust in the
server's cert. As you have no "trustManagers" configuration here, I guess
it is falling back on the default JVM settings (javax.net.ssl.trustStore)
Colm.
On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza <de...@gmail.com>
wrote:
> Hello:
>
> Maybe this question a bit off topic , but I try to understand why my
> client works.
>
> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
> This is my settings:
>
> <http-conf:conduit name="https://.*">
> <http-conf:tlsClientParameters>
> <sec:keyManagers keyPassword="xxxxxxxx">
> <sec:keyStore type="JKS" password="xxxxxxxx"
> resource="truststore.jks"/>
> </sec:keyManagers>
>
> I've imported SSL server certificate into truststore.jks
> And it works fine.
>
> But this certificate is signed by a CA chain ( from .godaddy.com) ,
> and ( I think ) I don't have imported any certificate from godaddy
> Why does my client trust in the server certificate ?
> Is not performed some Certification Path Validation process ?
>
> Thanks and regards
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com