[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] [Fwd: Problem with client authentication/verification]


On the SSLServerSocket I request Client Certificates. The javadoc of
this method is
incomplete, as it doesn't say that the SSLServerSocket never checks
this; it's just a hint to the client about what types of certificates
are accepted by the server.

Now I suppose that the SSLServerSocket checks that the client does
indeed posses the private key corresponding with the client certificate.
In the
case of Diffie-Hellman fixed certificates however, this is not done;
neither is checked wether the public key in the certificate is the same
as the one in the key exchange.

(I tested it with a client that doens't have the private DH key
corresponding with the certificate, so I assume that the private DH key
for the key exchange is generated on the fly and not the same as the one
belonging to the certificate)

The method getPrivateKey in the client trust decider is never called.
seen some posts mentioning this here already.

But the isTrustedPeer method of the ServerTrustDecider is called
nonetheless, with no indication that there was no check to see if the
certificate was owned by the client, or if the client just copied it
from somewhere. So if the client copied a trusted certificate from a
certifcate database it would verify correctly in isTrustedPeer, unless
isTrustedPeer explicitly denies DH certificates.

Actually, there is as I see it no use at all for DH client certificates
if they aren't checked in one way or another.

Erwin Bolwidt
Mailinglist-archive at http://jcewww.iaik.tu-graz.ac.at/mailarchive/iaik-ssl/maillist.html

To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the folowing content: UNSUBSCRIBE iaik-ssl