commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niklas Gustavsson <nik...@protocol7.com>
Subject Re: [net] FTPS client auth required
Date Sat, 25 Nov 2006 11:46:37 GMT
Thanks, making that settable makes a lot of sense. Would you mind doing 
the same thing for the KeyManager as that would make client auth 
possible? At least I'm not able to get it working without one :-)

I'm attaching the patch I use for the client auth tests in FtpServer.

/niklas

Rory Winston wrote:
> Niklas
> 
> The current FTPSTrustManager implementation is a little bit sketchy - 
> maybe we could default to a more comprehensive validity check. I have 
> added the facility to plug in a custom trust manager to the FTPSClient, 
> as follows:
> 
> FTPSClient client = new FTPSClient();
> 
> client.setTrustManager(new X509TrustManager() {
> 
>                public void checkClientTrusted(X509Certificate[] chain, 
> String authType) throws CertificateException {
>                ...
>               }
> 
>                public void checkServerTrusted(X509Certificate[] chain, 
> String authType) throws CertificateException {
>                   ...
>              }
> 
>                public X509Certificate[] getAcceptedIssuers() {
>                  ...
>                }
>                          });
> 
> Thanks for the patch, by the way.
> 
> Cheers
> Rory
> 
> 
> Niklas Gustavsson wrote:
>> Hi
>>
>> I'm trying to create tests for client authentication for Apache 
>> FtpServer. For this I'm using commons-net as the client but is running 
>> into problems with the client auth support in FTPSClient. I'm setting 
>> setNeedClientAuth(true) but still get problems due to FTPSClient 
>> sending a null certificate chain. How should I set up my keystore so 
>> that FTPSClient finds it and can use it to send the correct 
>> certificate to the server for authentication? I've tried with the 
>> javax.net.ssl.keyStore system property but to no avail.
>>
>> Also, if I understand the current implementation of FTPSClient and 
>> FTPSTrustManager. From what I can understand, the implementation only 
>> checks if the service certificate is valid, not if it's trusted. Is 
>> this correct? If so, this would probably be a security issue in that a 
>> fake server serving up any valid certificate would be trusted by the 
>> client. Is this the intended behavior?
>>
>> /niklas
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>>
>>
>>
>>


Mime
View raw message