From: | Guillaume Cottenceau <gc(at)mnc(dot)ch> |
---|---|
To: | Kris Jurka <books(at)ejurka(dot)com> |
Cc: | Saleem EDAH-TALLY <nmset(at)netcourrier(dot)com>, pgsql-jdbc(at)postgresql(dot)org |
Subject: | Re: SSL - Providing client certificates |
Date: | 2009-02-23 11:25:40 |
Message-ID: | 87iqn1v1hn.fsf@meuh.mnc.lan |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
Kris Jurka <books 'at' ejurka.com> writes:
> On Fri, 20 Feb 2009, Saleem EDAH-TALLY wrote:
>
>> However, if we set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword,
>> the SSL connection is established and the client certificate is verified.
>>
>
> When the code was first written, this wasn't tested and it was just
> assumed that it wouldn't work. Recently we got a report that it did
> work, but the documentation was not updated.
>
> What I don't understand is how it selects the certificate to send. If
> you have multiple keys in your keystore, how do you indicate which one
> to use?
My quite limited understanding of the behaviour of SSL client
authentication may potentially help a little:
You initially send a certificate signing request to the
admin/owner of the server (signed with your private key); when
you receive the certificate reply (signed with their private
key), you can build a chain of trust between you and the server,
your keystore will look like:
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: <you>
Issuer: <server>
Certificate[2]:
Owner: <server>
Issuer: <server>
Then at the SSL handshake time, first the server presents his
certificate, second it asks for a client certificate, at that
time you are able to present the certificate belonging to the
chain of trust containing the server certificate on top.
--
Guillaume Cottenceau
From | Date | Subject | |
---|---|---|---|
Next Message | ralf.baumhof | 2009-02-23 13:45:02 | Re: Performance of jdbc insert statements and select nextval |
Previous Message | Maciek Sakrejda | 2009-02-20 18:10:59 | Re: COPY support |