Subject: SSL/TLS Error Database -- To Trust/Validate An Incoming Connection
Author: authen
Posted on: 02/28/2008 06:32:10 PM
What's truststore?
A truststore is a keystore which is used when making decisions about what to trust. If you receive some data from an entity that you already trust, and if you can verify that the entity is the one it claims to be, then you can assume that the data really came from that entity.
An entry should only be added to a truststore if the user makes a decision to trust that entity. By either generating a keypair or by importing a certificate, the user has given trust to that entry, and thus any entry in the keystore is considered a trusted entry.
The default truststore is "$JAVA_HOME/lib/security/java.security/cacerts" with keystore password of "changeit". You can change the default settings by:
System.setProperty("javax.net.ssl.trustStore", "path_to_your_truststore");
What's CRL?CRL stands for certificate revocation list where revoked certificates are itemized. CRL can be a static local file which can be pre-downloaded from CA or a dynamic repository pointed by the CA's certificate's CRLDP (CRL Distribution Point)
Steps to trust/Validate an incoming connection?Whenever there is an incoming connection requesting SSL/TLS communication with its certificate, your application has to make decision to trust it or not before building a secure channel for SSL/TLS encrypt communication. The process to make decision is commonly referred as "handshaking". In order to validate a certificate, the following steps are usually involved:
Step 1) Certificate cipher CheckingStep 2) Certificate constraints (e.g. maxPathLength, naming) checkingStep 3) Certificate policies checkingStep 4) Certificate basic (e.g. before/after, subject/issure name chaining, signature) checkingStep 5) [Optional] Certificate revocation (e.g. static CRL files and dynamic CRLDPs) checking
Replies:
References: