db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernt M. Johnsen (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-2803) SSL certificate authentication succeeds unexpectedly
Date Wed, 27 Jun 2007 07:01:26 GMT

     [ https://issues.apache.org/jira/browse/DERBY-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Bernt M. Johnsen updated DERBY-2803:
------------------------------------

    Attachment: DERBY-2803-v2.zip
                DERBY-2803-v3.stat
                DERBY-2803-v3.diff

Thaks Rick. 1) The toc is not part of attached zip-file, but it builds ok in me sandbox. 2-4)
Done. New patch uploaded. Will commit & merge to 10.3 today.

> SSL certificate authentication succeeds unexpectedly
> ----------------------------------------------------
>
>                 Key: DERBY-2803
>                 URL: https://issues.apache.org/jira/browse/DERBY-2803
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation, Security
>    Affects Versions: 10.3.0.0
>            Reporter: Rick Hillegas
>            Assignee: Bernt M. Johnsen
>             Fix For: 10.3.1.1, 10.4.0.0
>
>         Attachments: DERBY-2803-v2.diff, DERBY-2803-v2.stat, DERBY-2803-v2.zip, DERBY-2803-v2.zip,
DERBY-2803-v3.diff, DERBY-2803-v3.stat, DERBY-2803.diff, DERBY-2803.stat, DERBY-2803.zip
>
>
> The following bug report may simply be pilot error. I confess that I am having a hard
time understanding the user documentation for this feature. The user documentation is found
in the Derby Admin guide in the section titled "SSL/TLS". My confusion arises from the fact
that sometimes the documentation talks about 3 SSL states (none, basic, peer) and sometimes
the documentation talks about 4 SSL states (none, basic, client certificate, server certificate).
> I tried running an experiment in which the server was setup for "Basic SSL encryption":
> 1) I successfully connected to the server when the client was setup for "Basic SSL encryption".
This I expected so good.
> 2) I also successfully connected to the server when the client was setup for "peer (server)
authentication". This confused me because the client url was requesting peer authentication
but the server was booted with just basic ssl authentication. That is, the client url requested
"ssl=peerAuthentication" but the server startup line requested "ssl=basic". I was surprised
that the two sides of the connection didn't have to agree on how much authentication was going
to be done.
> 3) I also successfully connected to the server when the client was setup for "peer authentication
on both sides". This really confused me: It seemed to me that there were 2 certificates involved,
but the server, via its startup properties, should only have been aware of one of these certificates,
viz., the certificate identified by the javax.net.ssl.keyStore properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message