Home.... | log in.... | Pub my question! | Sign-up....

Un-authenticated client required.

I've currently been working on producing a client / server prototype for something I'm working on. I have been able to encrypt the socket connection between the clients and the server using SSLSockets, but only by using a keystore file at both ends.

What I抦 doing requires clients to be able to access an applet over a secure TCP socket connection from any location, is this possible? Obviously using the keystore method which I have been using doesn't allow for this as any client would first need a copy of the keystore.

Any help would be greatly appreciated, I'm been searching the Internet all day and haven't found anything of use.

Cheers

jrp

[683 byte] By [jrp_a] at [2007-11-27 2:30:10]

«« Build question
»» Deserialization Problem on Linux with Custom ClassLoader

# 1

Well, there are known ways to create secure connections, as is done with web sites, but to truely prevent any type of MITM attack, you'd also need a verification key from a trusted key provider, or have the client come with a trusted key.

The latter is unavailable since you're trying to provide the client as an applet, meaning it is dynamically downloaded on use, not provided prior. Unless the transfer is already secure when downloading the applet, a MITM attack is possible by replacing the client with their own as it is being downloaded.

As for doing all of that in Java, I'm sure there are better people to answer that.

SlugFillera at 2007-7-12 2:43:39 >

# 2

If you turn wantClientAuth and needClientAuth off at the server you don't need a keystore at the client, and the client is unauthenticated. Both these settings are off by default.

ejpa at 2007-7-12 2:43:39 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Un-authenticated client required.

Core New Topic

Core Hot Topic

Core

All Classified