The overall product is CrushFTP (www.crushftp.com). It can act as a
client connecting via FTPS to another FTP server, which might be
using a self signed cert. This is when it acts as a client.
Additionally, when a client is connected via FTP in active mode, when
I connect back to them, I am acting as a client SSLSocket at that
time too.
The issue I am needing help with here is only involving the client
certificate authentication. Don't worry about when I'm acting as a
client...its unrelated to this, and is working as I intended it too.
I want to force a web browser to present its certificate, and if I
trust it via my keystore, then the connection can proceed to a user/
pass authentication.
My issue is that this is failing at the cert the browser is
presenting...either none, or not a valid one. It seems from your
comments I am doing this correctly using the null TrustManagers. I
don't want any connection to be accepted unless its a trusted cert,
once that I gave them.
So why is the browser not giving the cert? Have I made the cert
wrong? Is there something else I have to do with the SSLServerSocket
to make it really ask the browser for the right cert?
My *guess* on this issue is that the browser is either not sending
the cert since the server cert presented is untrusted, or because
some other key field in the server cert is making the browser not
bother sending the cert.
Thanks,
Ben
On Sep 2, 2008, at 9:20 AM, Bruno Harbulot wrote:
Hi Ben,
I'm really confused here, I'm not sure if your application is a
client, a server, or both.
Assuming it's a server (which seems to make more sense according to
what you've said before), for the browser to send its client
certificate to this server, you'll need to have the server trust
that certificate (or at least try to) and have its socket need
client authentication. Indeed, initialising the SSLContext with a
null array of TrustManagers will use the default CA certificates or
those in the keystore passed via -Djavax.net.ssl.trustStore=... (In
fact, if it's all you want to do, you probably don't need to build
an SSLContext; using the default SSLSocketFactory should be enough
in this case.)
For your client, if you really want to trust any server
certificate, having a TrustManager with an empty checkServerTrusted
() method should work. I've never tried this particular case.
Best wishes,
Bruno.
Ben Spink wrote:
Sorry this is confusing here. I don't ever want to trust all
client certs. I only want to trust all server certs, and I
understand the issues with this. Its something that will change
in the future.
I was assuming with the null trustmanager being set, the default
would be used, so that only certs trusted int eh chain in the
keystore would be OK. That was my intent at least.
I'm going to make a java client today to test what I have. Then I
will know better if this is some browser specific issue. Has
anyone done this before? Has anyone setup Tomcat succesfully
doing this? If it works, I can't see why this doesn't.
Thanks,
Ben
On Tue, Sep 2, 2008 at 3:41 AM, Bruno Harbulot
<email@hidden
<mailto:email@hidden>> wrote:
Hi Ben,
What you've also done in your code, is that, when
"needClientAuth"
is true, you're using a null array of TrustManagers, that is,
you're
using the default trust material, so it will ask for client
certificates issues by CAs in the default bundle. Whether-or-
not you
need or want client authentication should not be in your
SSLContext
builder. (I also suspect there might be a problem with
"getAcceptedIssuers()" returning null in your example, but I
haven't
tried, so I'm not sure to be honest.)
If you want to use jSSLutils, I've implemented some wrappers that
will let your server trust any client certificate:
X509SSLContextFactory sslContextFactory = new
X509SSLContextFactory(
... keyStore ...,
... key password (char[] or String) ...,
... trustStore ...);
sslContextFactory.setTrustManagerWrapper(new
TrustAllClientsWrappingTrustManager.Wrapper());
SSLContext sslContext = sslContextFactory.buildSSLContext());
...
serverSocket.setNeedClientAuthentication(true);
...
(There's a slightly more complex example in
org.jsslutils.sslcontext.test.TrustAllClientsServerTest)
This should make your server accept any client certificate.
Try it
with Firefox first, since Safari is a bit capricious as to
when it
decides to present client certificates (although it might not
be a
problem if you use "need" rather than "want").
Trusting any client certificate (including self-signed) can
have its
applications, although quite limited. However, you mention that
you're also using this to trust any server certificate when your
application is the client that makes outgoing connections. This
sounds actually like a rather bad idea, as this will make the
connection prone to man-in-the-middle attacks (like anonymous
cipher
suites), which defeats the purpose of using SSL, unless
perhaps you
check the certificate "manually" before doing anything with the
connection, but this seems a bit awkward and risky.
Best wishes,
Bruno.
Ben Spink wrote:
That getSSLContext function is used by another call where
I do
an outgoing SSLSocket and may want to trust all certs, certs
that are self signed, etc. That was the reason for it. (At
least I think...)
I tried adding the client.key to my keystore (after
deleting it
first) and did the -trustcacerts...same effect. Its as if
firefox never sends the cert...?
I suspect if I made my own SSL client and tested, this would
work fine......
As for the cert generation, I didn't want to use a
different CA
for testing, but I am aware of the benefit of doing so...only
add one cert to the keystore and you are done.
I will try and play with the jUnit tests tomorrow and see
what I
find there. I suspect things will work as I don't think
its an
issue with the code...but something that is keeping the
browser
from deciding to send a cert.
I am doing the "serverSocket.setNeedClientAuth(true);" I
am not
doing "want" as I really do need it. Doing want results in
success...but no cert was sent as it wasn't required.
Thanks,
Ben
On Sep 1, 2008, at 12:13 PM, Bruno Harbulot wrote:
There are some small examples in the jUnit tests for
jSSLutils [1] if you're interested. It also comes with
test
certificates for "localhost", "testclient" as well as
"testclient-r" to test the CRL configuration. (All the
passwords for these test keystores, PKCS#12 or JKS, are
"testtest".)
Best wishes,
Bruno.
[1] http://www.jsslutils.org/
Ben Spink wrote:
I'm attempting what should be easy client certificate
authentication. Once authenticated, via the cert, I
will then present a login page for the rest of the
authentication process.
Here is a code snippet:
ServerSocketFactory ssf =
getSSLContext
("mykey.jks",keystorepass,keypass,"SSLv3",
needClientAuth).getServerSocketFactory();
SSLServerSocket serverSocket = (SSLServerSocket)
ssf.createServerSocket(serverPort,serverPort);
.
.
.
public SSLContext getSSLContext(String KEYSTORE,
String keystorepass, String keypass, String
secureType,
boolean needClientAuth) throws Exception
{
String className =
"com.sun.net.ssl.internal.ssl.Provider";
java.security.Provider provider =
(java.security.Provider)
Thread.currentThread().getContextClassLoader
().loadClass(className).newInstance();
Security.addProvider(provider);
KeyStore keystore = KeyStore.getInstance
("JKS");
keystore.load(new FileInputStream(KEYSTORE),
keystorepass.toCharArray());
KeyManagerFactory kmf =
KeyManagerFactory.getInstance
(javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keystore, keypass.toCharArray());
TrustManager[] trustAllCerts = new
TrustManager[]{ new X509TrustManager() {
public
java.security.cert.X509Certificate[]
getAcceptedIssuers() {return null;}
public void
checkClientTrusted
(java.security.cert.X509Certificate[]
certs, String authType) {}
public void
checkServerTrusted
(java.security.cert.X509Certificate[]
certs, String authType) {}
}};
SSLContext sslc = SSLContext.getInstance
(secureType);
if (needClientAuth)
sslc.init(kmf.getKeyManagers(), null, new
java.security.SecureRandom());
else sslc.init(kmf.getKeyManagers(),
trustAllCerts, new java.security.SecureRandom());
return sslc;
}
My keys were built using these commands.
keytool -genkey -keystore mykey.jks
openssl genrsa -out client.key
openssl req -new -x509 -days 365 -key client.key -out
client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey
client.key -out client.p12
openssl x509 -inform PEM -outform DER -in client.crt
-out client.x509
keytool -import -keystore mykey.jks -file client.x509
-alias client
The client.p12 was imported into firefox, and also
into
my certificates in keychain.app.
However, neither safari, nor firefox can authenticate
correctly with the cert. I always get an exception
trying to trust the cert which should be trusted as I
imported it in my keystore.
FireFox:
javax.net.ssl.SSLHandshakeException: null cert chain
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90
or Safari:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted
certificate found
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90
Any ideas on what I am missing? I trust the
server cert
in the browser, then the client cert presented
appears
to either be null, or invalid.
Thanks,
Ben
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
