eu.emi.security.authn.x509.helpers.ssl
Class SSLTrustManager
java.lang.Object
eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager
- All Implemented Interfaces:
- TrustManager, X509TrustManager
public class SSLTrustManager
- extends Object
- implements X509TrustManager
Implementation of TrustManager
which uses a configured X509CertChainValidator
to validate certificates.
Note that if the client's certificate is not trusted the server will send an alert and close the connection.
Unfortunately, TLS is build in such a way, that in the same time, the client might still be busy
with sending the rest of handshake data (the client's certificate is sent first, then other records).
This alone would be no problem but Java SSL implementation, when trustmanager throws an exception,
first closes the input half of the socket and only then sends the alert.
All this is done without waiting for the client to finish sending its portion of handshake data.
This can cause a race condition: client will try to send data on a closed channel
of the socket, before it receives an alert about its certificate. The only known solution is to introduce
a sleep before throwing an exception by checkClientTrusted(). But it is hard to provide a good value, and what is
more this timeout is obviously slowing the invalid connection dropping, what might be used to perform DoS attacs.
Therefore there is no solution implemented.
- Author:
- K. Benedyczak
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
validator
protected X509CertChainValidator validator
SSLTrustManager
public SSLTrustManager(X509CertChainValidator validator)
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain,
String authType)
throws CertificateException
-
- Specified by:
checkClientTrusted
in interface X509TrustManager
- Throws:
CertificateException
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain,
String authType)
throws CertificateException
-
- Specified by:
checkServerTrusted
in interface X509TrustManager
- Throws:
CertificateException
checkIfTrusted
protected void checkIfTrusted(X509Certificate[] certChain)
throws CertificateException
- Throws:
CertificateException
getAcceptedIssuers
public X509Certificate[] getAcceptedIssuers()
-
- Specified by:
getAcceptedIssuers
in interface X509TrustManager
Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.