Return-Path: X-Original-To: apmail-db-derby-user-archive@www.apache.org Delivered-To: apmail-db-derby-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 54189E575 for ; Mon, 4 Feb 2013 03:36:55 +0000 (UTC) Received: (qmail 90223 invoked by uid 500); 4 Feb 2013 03:36:54 -0000 Delivered-To: apmail-db-derby-user-archive@db.apache.org Received: (qmail 89894 invoked by uid 500); 4 Feb 2013 03:36:50 -0000 Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Reply-To: "Derby Discussion" Delivered-To: mailing list derby-user@db.apache.org Received: (qmail 89834 invoked by uid 99); 4 Feb 2013 03:36:48 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Feb 2013 03:36:48 +0000 X-ASF-Spam-Status: No, hits=2.0 required=5.0 tests=FSL_NEW_HELO_USER,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of dag.wanvik@oracle.com designates 156.151.31.81 as permitted sender) Received: from [156.151.31.81] (HELO userp1040.oracle.com) (156.151.31.81) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Feb 2013 03:36:36 +0000 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r143aEcU030465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 4 Feb 2013 03:36:15 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r143aEf2011294 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 4 Feb 2013 03:36:14 GMT Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r143aDde012053 for ; Sun, 3 Feb 2013 21:36:13 -0600 Received: from [10.159.161.130] (/10.159.161.130) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 03 Feb 2013 19:36:13 -0800 Message-ID: <510F2CAC.3080207@oracle.com> Date: Mon, 04 Feb 2013 13:36:12 +1000 From: Dag Wanvik Organization: Oracle Corporation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Derby Discussion Subject: Re: SSL peerAuthentication References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------040707020307090409050208" X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-Virus-Checked: Checked by ClamAV on apache.org This is a multi-part message in MIME format. --------------040707020307090409050208 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Reading up on this, this is my understanding for your case (peerAuthentication in both directions). When using CA signed certs for both sides, you should keep the CA certs in the trust stores, i.e. Client keystore: Server keystore: client-key server-key client-cert server-cert Client truststore: Server truststore: server-ca-cert client-ca-cert Of course, server-ca and client-ca may be identical as in your example. where: * server-cert: the cert that the server presents to clients * server-key: the private key that corresponds to server-cert * server-ca-cert: the cert of the CA that signed server-cert * client-cert: the cert that the client presents to the server * client-key: the private key that corresponds to client-cert * client-ca-cert: the cert of the CA that signed client-cert It is true that this will allow secure connection of any client that has a cert signed by "client-ca-cert", but this is as it should be: the client is authenticated, the communication can proceed encrypted. Further authorization should be handled by the server. Hope this helps, Dag --------------040707020307090409050208 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Reading up on this, this is my understanding for your case (peerAuthentication in both directions).
When using CA signed certs for both sides, you should keep the CA certs in the trust stores, i.e.

Client keystore:                                            Server keystore:
client-key                                                      server-key
client-cert                                                     server-cert

Client truststore:                                         Server truststore:
server-ca-cert                                               client-ca-cert

Of course, server-ca and client-ca may be identical as in your example.

where:
  • server-cert: the cert that the server presents to clients
  • server-key: the private key that corresponds to server-cert
  • server-ca-cert: the cert of the CA that signed server-cert
  • client-cert: the cert that the client presents to the server
  • client-key: the private key that corresponds to client-cert
  • client-ca-cert: the cert of the CA that signed client-cert
It is true that this will allow secure connection of any client that has a cert signed by "client-ca-cert", but this is as it should be: the client is authenticated, the communication can proceed encrypted. Further authorization should be handled by the server.

Hope this helps,
Dag

--------------040707020307090409050208--