stackoom
  简体   繁体   中英

Java SSL socket — client certificate proof

 原文  2018-04-21 13:09:25       java/ sockets/ ssl/ certificate/ jsse

Question

I'm trying to create a java SSL socket server application that a few java SSL socket client applications will connect to. To guarantee the trustworthiness of both communication partners,

(1) the server should only accept a client connection if the client's certificate was signed with the server's private key

(2) the client should only communicate to the server if the server's certificate is contained in the client's trusted store.

Because I'm totally new to JSSE, I only managed the client application to connect to the server solely if its certificate is contained in the client's trusted store (condition 2). However, I have no clue how to achieve my 1st condition...

I would be grateful for every kind of help.

Best regards, Galveston01

2 answers

solution1
 1 ACCPTED  2018-04-21 15:31:43

If I understand your question correctly, what you're asking is how to enable two way SSL/TLS. This requires the client to validate the server cert (point 2 in your question) AND the server to validate the client cert - known as client authentication (point 1).

It sounds like you have got "regular" one way TLS working. I'm assuming that you've created and signed the server cert yourself (aka self signed cert) and this is why you have to import the server cert itself into the client truststore - there are no CA root/intermediate certs that have been used to sign it with.

To enable client authentication (point 1) you need to do two things:

  1. Ensure that the client certificate is in the server's truststore (as before, if this was not a self signed cert, then you would need to import the root/intermediate certs into the server truststore, no need to import the cert itself). Since you've already been through this process on the client side it should pose no problems.

  2. Configure JSSE on the server to enable client side auth. To do this you'll need to set the following property:

    SSLServerSocket.setNeedClientAuth(true)

Assuming that the truststore on the server contains your self signed client cert and the truststore on the client contains your self signed server cert then this should work.

If you are not using self signed certs but infact have access to test CA or are using genuinely signed cert ( no reason not to with letsencrypt ) then you might want to look at the answers and comments to these SO questions:

client not sending certificate for client authentication in TLS

client auth failing for two way TLS

solution2
 0  2020-02-06 14:47:48

JSSE has support for two classes KeyManagerFactory and TrustManagerFacory to support server-side and client-side authentication.

The client fills up the information of TrustManagerFactory while the server fills up the information of keyManagerFactory . Server fills up the parameter like below while connecting the client request:

final KeyManagerFactory kmf = KeyManagerFactory.getInstance(ksAlgorithm);
  kmf.init(ks, password.toCharArray());

client code for connection:

final TrustManagerFactory tmf = TrustManagerFactory.getInstance(ksAlgorithm);
tmf.init((KeyStore) null);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Choosing SSL client certificate in Java Forcing SSL Client Socket to Send Certificate Java SSL Socket Web Server Bad Certificate Java SSL handshake failure - no client certificate Java SOAP Client with SSL authentication : bad certificate Java Jersey not sending ssl client certificate JAVA SSL: how to get client certificate information How to load local client certificate in java SSL? SSL certificate validation using Java client Java SSL Client No Self Signed Certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM