stackoom
  简体   繁体   中英

How SSL certficates are loaded into (or removed from) the memory of a Java process

 原文  2022-02-08 16:00:11       java/ ssl/ certificate/ keystore/ pkix

Question

First of all, I must say I'm not a Java developer but a sys admin.

I thought when a Java process is launched with no javax.net.ssl.trustStore and javax.net.ssl.keyStore properties, the certificates in its $JAVA_HOME/jre/lib/security/cacerts always are loaded and used.

But I have found that one JBoss war loads another keystore and ignore the certificates in the default cacerts.

The problem was a PKIX typical error message

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

but I was sure the certificate needed was in the default cacerts.

I had to put the property javax.net.debug=all to shed some light on this issue and found that another keystore was loaded -- one having an old expired certificate, and which I didn't know.

After adding the valid certificate on the second keystore, the PKIX error message disappeared.

Then, how SSL certificates are dealed in a Java process?

When a new keystore is loaded, previously loaded certificates are deleted from memory?

Best regards

1 answers

solution1
 0  2022-02-08 17:09:28

No, when a new keystore is loaded, previously loaded certificates are not replaced/discarded by default.

Internally Java handles keystores like you open a document in Word: You can open/load a keystore, retrieve certificates, delete certificates, add new certificates and of course save the whole keystore after modifying it.

When performing an HTTPS call you can specify a TrustManager and this TrustManager holds a references to loaded keystores. As it is simply to just replace the default keystore by the custom keystore then Java will consider only the custom keystore.

You could also use both keystore, the default Java one and the custom one as shown in this answer (uses two TrustManager instances that are chained).

Alternatively the developer could modify the loaded keystore in memory and add the certificates from the Java default store.

As you can see it is up to the developer how a Java program handles this situation.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to determine the Java memory arguments in effect from within a Java process? java - create Process from memory How to start a java process from C++, and get the memory it uses? How can i modify this JAVA class so i can return the values of expiration date of certficates and not just print on the console How to check if a class is loaded or not in a Java process how to get the memory used by a java process in java Read memory from own process in Java Taking dump of hashmap from memory, for a java process Java: after jar is removed, class is still loaded how to get java process virtual memory in windows
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM