Reputation:
Java adding multiple trust stores, one per port
I have a client/server process with one server and one client.
The connect setup looks like:
System.setProperty("javax.net.ssl.trustStore", "path/to/store");
System.setProperty("javax.net.ssl.trustStorePassword", "passwd");
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
sslsocket = (SSLSocket) sslsocketfactory.createSocket(InetAddress.getLocalHost(), port);
1:1, this works fine. Now I am expanding it such that the server is listening on multiple ports for multiple clients. Each client that connects to the server should do so on a specific port with a specific truststore.
If I register two trust stores on the server side, when I try to make the client connection I get the error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown Received fatal alert: certificate_unknown
I've been looking through stack overflow for an example, but everything seems overly complicated. Is there a simple way to manage this? Or a compelling reason that one process shouldn't use multiple key stores?
Upvotes: 1
Views: 812
Answers (1)
Reputation: 1685
I don't think using your method this is possible. Since you are setting a system property (which is a hashtable), the last one you write will overwrite the earlier ones.
But also, I do not understand the usecase. In general truststore is a client side concept. It is about determining what server to trust. Most of the time (unless you are using certificate based authentication) a client's trustworthiness is not relevant.
Having said this, it is possible to set different keystores for different ports. In tomcat, for instance
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${user.home}/.keystore1"
keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
The above snippet states that on port 443 ~/.keystore1 should be used. On another port, keystore2 could be used.
Should you want to use client authentication, you can force the client to send a certificate, in the above example by setting clientAuth to true, and adding truststoreFile and truststorePass.
Digging in tomcat's source code may help you in setting up your environment. In particular the file java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java will perhaps have exactly what you want.
Upvotes: 1
Related Questions
- How to add multiple truststore paths to “java.net.ssl.trustStore”?
- Allow java trust store to accept all SSL certificates?
- How support multiple TrustStores in java SSL client application
- How can I use different certificates on specific connections?
- Keystore configuration for calling services that call other services with different sets of certificates
- SSL: How to handle multiple clients with separate keys connecting to the same port?
- Setting multiple truststore on the same JVM
- Java multiple SSL client to one server
- managing multiple entries in java (custom) truststore
- How to add multiple trustsources on the server