Dynamically Accept Client Certificates
Hello all,
I am writing a simple client/server app using TLS and I have a problem with the following:
Each client machine will be uniquely identified with a certificate generated at compilation of the program with keytool. Each client will also have a copy of the server's public key certificate. But the server will have to be informed of the client's public key each time a new client connects.
In a nutshell: is it possible for the client to send its public key certificate to the server via an unsecure connection (ie: not using SSL) and have the server "add" that certificate to its TrustManager dynamically? As of now, the only way I can get the server to trust more clients is importing the public keys into a keystore with "keytool -import" and restarting the server. This, of course, is not acceptable.
I know that if a server dynamically accepts each certificate its thrown at it its the same as not having the client authenticate itself but its a (stupid) requirement so I have no say in this.
It's an extremely stupid requirement and you should certainly have your say in this. Any time you spend on this is wasted time and wasted money on the part of the people who determined that it should be done. They should simply turn off needClientAuth at the server and be done with it, or bite the bullet and import the certificates properly.
Nothing in the way of client-authentication security would be provided by this nonsense, and you can tell them I said so. For a reference see http://www.telekinesis.com.au/wipv3_6/FundamentalNetworkingInJava.A21 - I wrote it.
As a professional, you should certainly stick your hand up and say so loudly and clearly.
ejpa at 2007-7-15 5:07:26 >
And if you want the equally insecure alternatives:
(a) initialize an SSLContext with your own TrustManager that trusts anything and get your SSLServerSockets via that SSLContext's server socket factory,
or
(b) turn off needClientAuth and wantClientAuth at the server
If you just do (b) you can forget about the client-side requirement altogether.
If they actually do need client authentication, they need to generate client cert requests and get them signed by a trusted signer whose cert is in the server truststore. This is the correct solution for that level of security.
ejpa at 2007-7-15 5:07:26 >
