When I tried to run the program there was an exception saying that there was no certificate found (I cannot remember exactly the exception).
I solved this by installing the certificate into cacerts file and everything worked fine.
Note: This certificate is a self-signed and is not validated by any CA.
However, the clients to whom this software will be distributed should not have to do this.
How can I create a SSL/TLS Java client w/o installing untrusted certificate.
If some more clarification is needed do not hesitate do ask.
If you have a self-signed certificate, any properly secure client is going to inform you before you attempt to connect to that server via SSL. It would be a major security vulnerability not to.
Many clients do have the ability to add a confirmation to accept the cert and proceed, which is done via a pop-up dialog and/or a command-line switch. The point being is that the end user should be aware of, and consciously agree to talk to a server whose authenticity and trustworthiness cannot be independently proven.
If that is not suitable, get a signed cert. You can get them free from letsencrypt, although those have to be renewed every 90 days - an expired cert also causes the client to question the user. There are additionally some fairly inexpensive cert authorities for longer-term certs and if you want extra bells and whistles, the big name certifiers add additional trustworthiness features that clients will often display as medallions next to the navigation control to assure users of the server's bona fides.
When it comes to destroying a civilization, gas chambers cannot hold a candle to echo chambers.
posted 2 months ago
I Just wanted to share with you my findings. Maybe someone will find this useful.
At the moment of writing this, I can say with 99% certainty that what I wanted in the first place IS possible. I implemented it and in localhost (both server and the client) everything works. The 1% left is because I still need to test my solution with Wireshark to see that the communication is actually SSL/TLS encrypted.
I will update once these tests are done.
First of all, big thanks to this article. It helped me achieve what I wanted, even though it is HTTPS related. My client is a TCP client implementing custom protocol.
the chosen solution is the "most wrong" (I'm not a native english speaker but I'm aware that this isn't correct grammar) one could choose from
the whole point of using TLS in the first place is to have authenticated ensurance that the remote is really the one you want to speak to - no matter if strong encryption is used
by overwriting this very basic essential check you can get away with not using TLS at all but use RSA and AES in stream-mode and javax.crypto.CipherIn/OutputStream
the right way to do TLS with your own private CA:
create a root-key and -cert
create an instance of SSLContext using it - and create end-point-certs signed by root or if you like intermediate cert
there is no need to pre-install the root-cert ahead of use - just create a TrustManager at runtime - done
A berm makes a great wind break. And Iwe all like to break wind once in a while. Like this tiny ad:
global solutions you can do in your home or backyard