java - Aceepting any Client Certificate in SSL-Handshake -

July 15, 2012

i'm using netty on android , server side establish ssl-secured connection client-authentication. i'm having difficulties connecting these certificates since sslengine declines them due "null cert chain".

this i've done on server side. set sslcontext signed server certificat (the client knows ca can validate one).

to make server accept certificates clients (since self-signed) implemented dummytrustmanager accept any.

private static class dummytrustmanager implements x509trustmanager     {         private x509certificate[] mcerts;          public dummytrustmanager(certificate[] pcerts)         {             // convert x509 array             mcerts = new x509certificate[pcerts.length];             for(int = 0; < pcerts.length; i++)             {                 mcerts[i] = (x509certificate)pcerts[i];             }         }          @override         public void checkclienttrusted(x509certificate[] arg0, string arg1) throws certificateexception{}          @override         public void checkservertrusted(x509certificate[] arg0, string arg1) throws certificateexception{}          @override         public x509certificate[] getacceptedissuers()         {             return mcerts;             //return new x509certificate[0];         }     }

the point i'm not quite sure getacceptedissuers() method.

if retrurn empty array openssl-binary (which use veryfi correct setup) fails due empty acceptedissuers list.
if add currents server certificate chain work @ least client certificates signed same ca not ones self signed (which need).

but maybe i'm doing wrong on client side:

        keystore keystore = keystore.getinstance(keystore.getdefaulttype());         keystore.load(null);          keystore.setentry("user_certificate", new keystore.privatekeyentry(mprivate, new certificate[]{mclientcert}), this);         keystore.setcertificateentry("server_certificate", mservercert);

also did researches , understood far: client has valid certificate chain not send because server tells it accepts issuers listed server.

if right, how can overcome issue?

i thinking of seperate self-signed ca delivered clients , listed in server accepted issuers list. client uses ca sign own certificate. see of no security problem this. or there better solution?

since there no answer longer period i'm going give brief overview of how solve now.

i've created ca not signed trusted ca. self signed. ca given clients sign own certificates. why? because way can tell server send out ca accepted 1 getacceptedissuers(). not intended give level of authority. way check clients public key, there no security risk there.

you have carefull not mix trustedmanagers , sslcontext instances up.

Search This Blog

New Mian

java - Aceepting any Client Certificate in SSL-Handshake -

Comments

Post a Comment

Popular posts from this blog

jquery - How can I dynamically add a browser tab? -

node.js - Getting the socket id,user id pair of a logged in user(s) -

keyboard - C++ GetAsyncKeyState alternative -