Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SSL and client certificates

 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I was to use a client certificate when connecting to a server over HTTPS, how would the SSL implementation (JSSE) figure out which certificate to send (assuming there are many in the client's keystore)?
 
Alex Black
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Each certificate in a keystore is identified by an "alias" string.
Once you have your keystore object you can retrieve the pertinent certificate by calling a getCertificate(String alias) method.
You could read up on this through this link: http://java.sun.com/j2se/1.4.2/docs/api/java/security/KeyStore.html.
Cheers,
Alex
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Alex,
However, I already knew that much. What I'm wondering is what happens under the covers if I don't locate the Certificate myself but instead let the JSSE "https" handler take care of everything -- will it blindly pick the first certificate from the keystore or use some kind of "preference" logic to determine the "best match" to what the server is requesting during the handshake?
Please, just say so if I'm way off here. I'm really new to client certificates...
 
Alex Black
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Lasse,
I am not sure what you mean by letting the "https" handler take care of everything... Could you provide some code instead?
Alex
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What I'm after is that instead of doing

we can (with JDK 1.4) do this instead:

And the actual question is whether we can do the latter if a client certificate is required by the server?
 
Alex Black
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Lasse,
Yes a client certificate is still required in spite of this not really being evident in the second snippet of code.
All the implementation hidden underneath the HttpsURLConnection is literally (almost) identical to the first code snippet.
It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.
Hope that helps.
Cheers,
Alex
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Alex Black:
It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.
So would it be a fair guess that "under the hood", the code is actually just picking the first certificate from the keystore? The other option, I think, would be that the server indicates some sort of preferences for the client certificate (a bit like the client advertises all the algorithms it knows upon starting the handshake) based on which the "https" protocol handler selects one of the client's certificates to be sent.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic