SSL: make Java check the whole trust chain -

- February 15, 2015

say i'm communicating client via https certificate chain:

acme root   |   +--- acme intermediate          |          +--- server cert

i've created trust store i've imported acme intermediate certificate using

keytool -import -alias intermediate-ca -file acme_intermediate.der -keystore /path/to/intermediate-cacerts

and started vm ...

java -djavax.net.ssl.truststorepassword=changeit -djavax.net.ssl.truststore=/path/to/intermediate-cacerts ...

when connecting server, connection made. i've expected javax.net.ssl.sslhandshakeexception unable find valid certification path requested target or similar because acme root certificate not stored in intermediate-ca.

to sure, i've checked if jvm examined default system truststore straceing jvm did not:

$ strace -tt -f -etrace=open java -djavax.net.ssl.truststorepassword=changeit -djavax.net.ssl.truststore=/path/to/intermediate-cacerts program 2>&1 | grep -ve 'open\((.*\.(so|jar)|"/(proc|dev|etc/host|tmp|sys))'  22:31:21.103201 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/amd64/jvm.cfg", o_rdonly) = 3 [pid 27619] 22:31:21.119299 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/endorsed", o_rdonly|o_nonblock|o_directory|o_cloexec) = 3 [pid 27619] 22:31:21.125422 open("/etc/nsswitch.conf", o_rdonly) = 3 [pid 27619] 22:31:21.127423 open("/etc/passwd", o_rdonly|o_cloexec) = 3 [pid 27619] 22:31:21.141141 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/meta-index", o_rdonly) = 3 [pid 27619] 22:31:21.540826 open("/usr/lib/locale/locale-archive", o_rdonly) = 4 [pid 27619] 22:31:21.541576 open("/etc/passwd", o_rdonly|o_cloexec) = 4 [pid 27619] 22:31:21.542221 open("/etc/localtime", o_rdonly) = 4 [pid 27619] 22:31:22.267438 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/ext/meta-index", o_rdonly) = 4 [pid 27619] 22:31:22.318007 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/ext", o_rdonly|o_nonblock|o_directory|o_cloexec) = 4 [pid 27619] 22:31:22.462944 open("/usr/java/packages/lib/ext", o_rdonly|o_nonblock|o_directory|o_cloexec) = -1 enoent (no such file or directory) [pid 27619] 22:31:22.604155 open("/home/me/program.class", o_rdonly) = 4 [pid 27619] 22:31:22.728273 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/security/java.security", o_rdonly) = 4 [pid 27619] 22:31:24.048924 open("/usr/share/jbossas/standalone/data/intermediate-cacerts", o_rdonly) = 9 [pid 27619] 22:31:24.462164 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/meta-index", o_rdonly) = 10 [pid 27619] 22:31:24.626192 open("/etc/resolv.conf", o_rdonly) = 11 [pid 27619] 22:31:25.523615 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/net.properties", o_rdonly) = 12 [pid 27619] 22:31:26.168961 --- sigsegv (segmentation fault) @ 0 (0) --- connected

when omitting -djavax.net.ssl options observe open() of system truststore:

[pid 27212] 10:54:53.699479 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/security/cacerts", o_rdonly) = 9

the connection created using code fragment:

sslsocketfactory sslsocketfactory = (sslsocketfactory) sslsocketfactory.getdefault(); sslsocket sslsocket = (sslsocket) sslsocketfactory.createsocket(hostname, port);

this , serveral resources on internet there's no way make java lookup certificates in multiple truststores. 1 need clone system truststore , import needed certificates. sounds plausible me.

are there configuration options make java check whole trust chain?
if not, should implement manually check trust chain?

Search This Blog

Click Hand

SSL: make Java check the whole trust chain -

Comments

Post a Comment

Popular posts from this blog

python - pip install -U PySide error -

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -