hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prasad Jeewantha <jeewamp....@gmail.com>
Subject Re: How are TrustStores and KeyStores used in SSL in HTTP-core-nio
Date Wed, 27 Feb 2013 13:42:26 GMT
Hi Oleg,
Thanks for the response. I have one more question. When creating an
SSLClientIOEventDispatch(.. , .. , .. ,..) it gets an SSLIOSessionHandler
which has a *verify(SocketAddress remoteAddress, SSLSession
session)*method. I am planning to add my OCSP/CRL feature here. This
method is
called by *doHandshake()* method in *SSLIOSession*. My question is, at the
point where the *verify()* method is called, will the JSSE trust manager
already has checked whether at least one certificate in the chain is
trusted? If so I can assume at this point, the entire chain is trusted, so
that I can do the OCSP/CRL verification here.
Thanks again,
Jeewantha


On Wed, Feb 27, 2013 at 6:06 PM, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Wed, 2013-02-27 at 17:10 +0530, Prasad Jeewantha wrote:
> > Hi all,
> > There is an SSL Certificate Verification feature (OCSP/CRL) I want to
> > implement in Apache Synapse which uses http-core-nio project as a
> > dependency. In Synapse when creating an *SSLContext* it takes *
> > truststore.jks* and the *keystore.jks* as arguments. In the class *
> > org.apache.http.impl.nio.reactor.SSLIOSession* it creates an
> *SSLEngine*from
> > *sslContext.createSSLEngine(hostname, port) *method. When debugging
> Synapse
> > I can see the TrustManagers and KeyManagers in SSLEngine. *Please tell me
> > how the TrustManagers and KeyManagers are used in http-core-nio project*.
>
> Jeewantha
>
> HttpCore does not do anything special with regards to trust verification
> and authentication with a private key. It relies on the standard
> mechanisms provided by JSSE.
>
>
> > I want to verify whether the root certificate in the Peer certificate
> chain
> > is in the TrustStore. I am not sure whether this is already implemented.
> > Thanks in advance.
> > Jeewantha.
> >
>
> Standard JSSE trust manager considers a certificate chain trusted if at
> least one cert in the chain is trusted. It does not have to be the root
> cert. If you are absolutely sure that you have to verify validity of the
> root cert, you should implement a custom TrustManager and use it instead
> of the default implementation.
>
> Hope this helps
>
> Oleg
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message