JSSE server to work with two client each on different p12 certificate

Is it possible for Sun's JSSE server (has two certificates imported using Firefox->tools->option->viesw certificates-> then import->backup to save the concatenated p12 certs, and two CA certs imported using keytool) to work with two clients on different p12 certificate each?

If possible, how to do this?

Thanks very much in advance,

[378 byte] By [yixdsa] at [2007-11-27 7:51:47]

«« How to refresh JSP page?
»» How to bind a thread to a CPU explicitly in Java

# 1

Can chooseServerAlias(String keyType, Principal[] issuers, Socket socket) be updated to chooseServerAlias(String[] keyType, Principal[] issuers, Socket socket) in order to decide which certificate(s) to use when connecting to remote host?Thanks,Yi

yixdsa at 2007-7-12 19:32:56 >

top of Java-index,Security,Java Secure Socket Extension (JSSE)...

# 2

Of course not. The interface is already defined and called by JSSE.

ejpa at 2007-7-12 19:32:56 >

# 3

But I loaded the pkcs 12 certificate file containing two certificates and invoked Key Manager. Then I did SSLContext init with parameters getKeyManager and getTrustManager.

JSSE server successfully have connection with a client at one certificate, but failed connection with another client at another certificate. The error message I got is "No trusted certificate found.".So seems to me

chooseServerAlias of JSSE doesn't know how to decide which certificate to use when making connection to remote host.

I was wondering if there is a bug in chooseServerAlias or something else.

Thanks very much,

yixdsa at 2007-7-12 19:32:56 >

# 4

This question doesn't make any sense either. As you are providing the implementation of chooseServerAlias(), only you would know whether there are bugs in it.

The exception means that the certificate provided isn't trusted, i.e. neither it nor that of any of its signers is in the truststore of the JVM which threw the exception. This is just a matter of exporting the client certificates from wherever they are and importing them into the server's truststore, or better still importing the root certificate of the CA that signed them into the server truststore.

ejpa at 2007-7-12 19:32:56 >

# 5

From my experimentation, I see chooseClientAlias is working as expected.

The client at concatenated pkcs 12 certificates imported and backed up using Firefox, the parameters in chooseClientAlias knows which certificate to use when connecting to remote host (in my case, the server at either certificate A issued by one CA and at certificate B issued by another CA). The whole process worked perfectly fine.

My question now is why chooseServerAlias does not work as expected like chooseClientAlias. The reason I need this to be working is that I also need

Server at concatenated p12 certificates to connect with the clients at either certificate A or certificate B issued by another CA.

Thanks.

yixdsa at 2007-7-12 19:32:56 >

# 6

chooseServerAlias() must be working, otherwise you wouldn't get to invoke chooseClientAlias() at all. I think you need to take a step backwards and report the actual problem you are having, not what you think the reason for it is.

ejpa at 2007-7-12 19:32:56 >

Security

Java Secure Socket Extension (JSSE)

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

JSSE server to work with two client each on different p12 certificate

Security Hot Topic

Security

All Classified