hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: How are TrustStores and KeyStores used in SSL in HTTP-core-nio
Date Wed, 27 Feb 2013 14:01:30 GMT
On Wed, 2013-02-27 at 19:12 +0530, Prasad Jeewantha wrote:
> Hi Oleg,
> Thanks for the response. I have one more question. When creating an
> SSLClientIOEventDispatch(.. , .. , .. ,..) it gets an SSLIOSessionHandler
> which has a *verify(SocketAddress remoteAddress, SSLSession
> session)*method. I am planning to add my OCSP/CRL feature here. This
> method is
> called by *doHandshake()* method in *SSLIOSession*. My question is, at the
> point where the *verify()* method is called, will the JSSE trust manager
> already has checked whether at least one certificate in the chain is
> trusted? 

Yes, that is the case. At that point the session will be fully
established. 

> If so I can assume at this point, the entire chain is trusted, so
> that I can do the OCSP/CRL verification here.

In ideal situation OCSP/CRL check should be performed at the same time
the trust verification is performed, but this has to be done
asynchronously without blocking the i/o dispatch thread. I also believe
JSSE should provide an injection point for OCSP/CRL, but I cannot say
that for sure. For a start doing the OCSP/CRL check after the session
has been established should be good enough. Please note the check will
have to be asynchronous as well or otherwise you would be blocking the
i/o thread and all the active sessions managed by it. So, you have got
to know what you are doing.

Oleg

> Thanks again,
> Jeewantha
> 
> 
> On Wed, Feb 27, 2013 at 6:06 PM, Oleg Kalnichevski <olegk@apache.org> wrote:
> 
> > On Wed, 2013-02-27 at 17:10 +0530, Prasad Jeewantha wrote:
> > > Hi all,
> > > There is an SSL Certificate Verification feature (OCSP/CRL) I want to
> > > implement in Apache Synapse which uses http-core-nio project as a
> > > dependency. In Synapse when creating an *SSLContext* it takes *
> > > truststore.jks* and the *keystore.jks* as arguments. In the class *
> > > org.apache.http.impl.nio.reactor.SSLIOSession* it creates an
> > *SSLEngine*from
> > > *sslContext.createSSLEngine(hostname, port) *method. When debugging
> > Synapse
> > > I can see the TrustManagers and KeyManagers in SSLEngine. *Please tell me
> > > how the TrustManagers and KeyManagers are used in http-core-nio project*.
> >
> > Jeewantha
> >
> > HttpCore does not do anything special with regards to trust verification
> > and authentication with a private key. It relies on the standard
> > mechanisms provided by JSSE.
> >
> >
> > > I want to verify whether the root certificate in the Peer certificate
> > chain
> > > is in the TrustStore. I am not sure whether this is already implemented.
> > > Thanks in advance.
> > > Jeewantha.
> > >
> >
> > Standard JSSE trust manager considers a certificate chain trusted if at
> > least one cert in the chain is trusted. It does not have to be the root
> > cert. If you are absolutely sure that you have to verify validity of the
> > root cert, you should implement a custom TrustManager and use it instead
> > of the default implementation.
> >
> > Hope this helps
> >
> > Oleg
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> > For additional commands, e-mail: dev-help@hc.apache.org
> >
> >



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message