Public client, Protocol TLS, keystore and SSLContext

Hello

Hope this isn't a double post, I have not found one relevant for answering my questions... (im not natively English speaking, I have lack certain keywords when searching)

I'm developing a Client/Server Java using JSSE application to manage the TLS connection.

The client will be available to the public, and it is the connection with the server must be guaranteed by an x509v3 certificate.
It's actually using a self-generated x509v1 certificate, but what I read leads me to the conclusion that when we buy an x509v3 certificate, it works exactly the same way.

For first test SSL (I'm using the SSLEngine class), I have generated keystore and truststores for the client and the server, with the same certificate.

Here's how I generated what I need:

keytool - genkeypair-alias mytest - keyalg RSA-validity 360 - / home/pitt/keystore keystore
keytool-export - alias mytest - / home/pitt/keystore keystore - rfc-file selfsigned.cer
keytool-import - alias mytest-file selfsigned.cer - keystore/home/pitt/truststore

Now that we are preparing a first public version, I would say the districts of certificate.

So here are my questions:

Is it possible to have no client supplied with the distribution certificate and have a connection to the server?

To try this, I modified my code:

First on SSLEngine my server, which uses the truststore and the keystore generated above:

engine.setNeedClientAuth (false);

On the client, I tried to use the default keystore:

Plant of approved = TrustManagerFactory.getInstance ("PKIX");
KeyStore ks = null;
Factory.init (KS);
CTX = SSLContext.getInstance ("TLS");
CTX.init (factory.getTrustManagers (), null, null);

Result: my server raises "received fatal alert: certificate_unknown. I assumed that the customer must provide a certificate that is trusted by the server.
Am I wrong?
If I'm wrong, how can I implement this without embending any certificate store / in the client? Or do I just have to provide the certificate from the server to the client, if yes how?...

If the customer must provide a certificate to establish a connection, is it not dangerous to have the same certificate in all cases of customers?

If that's what I do, how can I achieve this?
Even after a lot of research, I'm a little confused with the keystore/certificates/truststores. So should I provide a key file to the client? What should it contain? What should I add to the server key/truststore...?

Sorry, it is not very clear to me, it is implemented and cryptographic logic, hope that someone will be kind enough to enlighten my poor brain :)

Thanks in advance!

Is it possible to have no client supplied with the distribution certificate and have a connection to the server?

Yes, as long as the server certificate is signed by a certification authority or you distribute a truststore contains with the customer.

Result: my server raises "received fatal alert: certificate_unknown. I assumed that the customer must provide a certificate that is trusted by the server.

No, the server must provide a certificate approved by the customer. The reverse case is an option that you disabled.

How can I implement this without embending any certificate store / in the client?

Download the certificate signed by a certification authority.

If the customer must provide a certificate to establish a connection, is it not dangerous to have the same certificate in all cases of customers?

Not only dangerous but unnecessary. The client certificate is meant to uniquely identify a specific customer. If it does that there is no point to it whatsoever.

So should I provide a key file to the client?

Never. If the client authentication is needed customers must provide their own keystore. You can't do it for them. But you don't need at all in this case.

What should I add to the server key/truststore...?

If you the client authentication, the server must do trust the certificate of the client, because it is signed by a certification authority, either because it has been imported in truststore for the server. Is not necessary in this case.

Sorry, that's not very clear to me

It's actually very simple.

1. for a trust B, B must have a unique certificate in the keystore that is approved by A truststore, it was signed by a CA or because it has been imported in the truststore.
2. in SSL, the client must trust the server, i.e. the client requires the authentication of the server.
3. in SSL, it is possible to have the server want or need authentication of the client.
4. it is also possible to reverse the roles of client and server in the handshake.

Tags: Java

Similar Questions

  • Offers day and slow downloads WiFi (very slow).  Is there a way that I can download some updates and new programs using my macbook pro (to a public site in the city) and transfer it on my iMac which is too heavy to cart autour?

    Difficulty to access the updates and downloads with very slow wifi ("country").  Is it possible that I can download some updates and new programs using my MaBbook Pro (retina) on a public site in the city and transfer them on my iMac which is too heavy to cart autour?

    New programs, Yes.

    Updates, depends on what you're updating.

  • Integration of the RGS with view Agent and Client Protocol

    I want to a question about the HP RGS Protocol. Last week, I attended VMWare Partner Exchange 2009 in Orlando, Florida and gave a demonstration of what I believe, this is the option to select MS RDP or ROWS in the Client view. I forgot to ask what version of the Client view the instructor used, and if it was even available for download now.

    So I would like some clarification. Is the latest version of the Agent view and customer have integrated the RGS protocol supported?

    VMware-viewagent - 3.0.1 - 142034.exe

    VMware-viewclient - 3.0.1 - 142034.exe

    I think without integrating with the view Agent and the customer, there is no point in using the function view connection 'Entitlement' Manager, because you can simply load the receiver client RGS on any PC and connect to a virtual desktop with the RGS sender installed.

    Any comment is appreciated.

    scnguye2 wrote:

    I want to a question about the HP RGS Protocol. Last week, I attended VMWare Partner Exchange 2009 in Orlando, Florida and gave a demonstration of what I believe, this is the option to select MS RDP or ROWS in the Client view. I forgot to ask what version of the Client view the instructor used, and if it was even available for download now.

    So I would like some clarification. Is the latest version of the Agent view and customer have integrated the RGS protocol supported?

    VMware-viewagent - 3.0.1 - 142034.exe

    VMware-viewclient - 3.0.1 - 142034.exe

    No, RGS support isn't in 3.0.1. This feature is in a next version (which is in the Release Candidate phase right now).

  • ISE of Cisco protocols for ldap and Windows wireless client

    Only protocols below are supported by ise in combination with ldap identity sources.

    EAP - GTC, PAP, EAP - TLS, PEAP-TLS.

    Peripheral Mac OS appear to be able to use these, but Windows users seem to have problems. How windows users must connect with ise that only uses the ldap Protocol?

    You can use the anyconnect Network Access Manager. Just out of curiosity why ldap on join ise to AD?

    Sent by Cisco Support technique Android app

  • What are the 'elements' in a network connection settings (for example, 'client for microsoft networks') and which should I check?

    the termonology throws me, so keep it simple please. BUT I'm just checking my NETWORK CONNECTIONS and when I discover the properties of parameters / the window will appear which indicates the items that you can check or uncheck.

    'the clients for microsoft networks '.

    "file and printer sharing for microsoft networks".

    "QoS Packet Scheduler"

    "internet protocol (tcp/ipi).

    I can't seem to find the info on what they are and why I need one any of them checked, info by simple description is. I am just a computer and I mainly use a cable (ethernet?) a domestic device (modem?) that gives me access to the internet. So all the jargon on the networks and sharing are confusing. I unchecked 'file and printer sharing for microsoft networks' because it is based on the brief description I guess it's for some sort of office network (or other) computers? Finally, everything seems to work with that uncontrolled. I also disabled everything and I would not be able to connect to the internet, so I conclude at least some of them are essential for the connection to the internet anyway.

    A link would be well as long is it centered on my query mentioned and SINGLE [!]. Thank you.

    PS my interest is safety! I don't want to open doors that do not need to be open.

    question side: why I can't copy this? would it because I have disabled 'file and printer sharing... ". » ? I can copy the text elsewhere although [?].

    I've never paid much attention to the QoS, but as far as I KNOW, there isn't any kind of security risk.

    There is a lot of information and misinformation about the QoS on the Internet connections, and I'm not an expert on this subject.

    From what I understand, if you have a single computer connected to the Internet you won't probably no difference if this box is checked or not.

  • AP1200 with clients 802.1 b and 802.11 g

    Is AP1200 supports clients both 802. 11B and 802.11 g at the same time?

    Hi Philippe,.

    The short answer is Yes, the series 1200 AP with a G radio can support clients both b & g at the same time. Be sure to correctly configure data rates to not to exclude clients b. Take a look at the info;

    With the Cisco Aironet 1200 Series, a single access point can operate a radio for 802. 11 b / customers g.

    This doc.

    http://www.Cisco.com/en/us/products/HW/wireless/ps430/products_data_sheet09186a00800937a6.html

    In a few years, WLAN evolved from proprietary systems with sub-Mbit/s capabilities to standardized offers running at as much as a combined 108 Mbps data rate. These high data rates are available in two band 2.4 GHz with technology 802.11 g and Band 5 GHz with 802. 11A technology. 802.11 g provides backward compatibility with 802. 11b devices, but is limited to three channels, overlapping in the band of 2.4 GHz. 802. 11A provides no backward compatibility but supports up to 23 channels (depending on local regulations). For compatibility backward and high capacity, suppliers of WLAN clients are migrating to dual band 802. 11a / g capable of client machines.

    This doc.

    http://www.Cisco.com/en/us/NetSol/ns673/netbr0900aecd8035a015.html

    I hope this helps!

    Rob

    Remember messages useful rate...

  • Client VPN router IOS, and site to site vpn

    Hello

    Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.

    So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.

    IM using a router 800 series with 12.4 ios

    Thank you very much

    Colin

    ReadersUK wrote:
    

    Hi
    

    Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
    

    So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
    

    im using a 800 series router with 12.4 ios
    

    Many thanks
    

    Colin

    Colin

    It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection

    https://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

    Jon

  • How to configure IKE with RSA without this Protocol between 1760 and PIX501?

    Hello

    I have a question about authentication with RSA - SIG IKE between 1760 router and PIX501 without AC.

    .

    I found a URL between routers, but not for PIX. do I need third-party CA (public or internal) in the PIX?

    http://www.Cisco.com/warp/public/707/18.html

    .

    Please correct me if I am wrong or the return URL.

    .

    Thank you

    RSA - enc is available for IOS routers, PIX will support certificate or key pré-partagées, you might want to look at this example with a MS CA:

    http://www.Cisco.com/warp/public/707/lan_to_lan_ipsec_pix_rtr_cert.html

  • The ASA - Client to use SSL and connections options I have?

    We have a large site and have only allowed using IPSEC for all our branch in branch and the user tunnels. We tried SSL years but she limits so we stopped deployment. We must now begin the SSL VPN user and I have a few questions basic ASA.

    I have a unused ASA 5510 for tests that currently holds the 8.3.2 on it, Security code more license, 100 SSL VPN peers and 250 total peers of VPN, VLAN max 100, 2 seconds, active/active contexts, 2 proxies of phone CPU and everything else is disabled. We do not intend on using a SSL connection web anywhere (Anyconnect essentials?) and will not use the entire customer VPN SSL which will be hand loaded on machines or downloaded from the ASA and loaded on the computer if possible. I want to know is what version of the current code can install on my ASA without losing my existing SSL VPN 100 peers license and that the Anyconnect customer would be sustained? I've seen talk about premium Anyconnect but do not know its relationsonship. If I improve the ASA of new releases or versions of code my peer SSL VPN license turns into an Anyconnect Premium license?

    Any help to get started you in the right direction would be appreciated. I know I can spend days trying to understand Cisco licenses and traps and still get burned in the end with the function or the wrong license. Basically, I want to know what I have to install the end-user complete SSL VPN clients and I have to do with the ASA to provide this functionality with current license / feature set there. I also want to know what the end user should be used because it seems that Anyconnect Secure Mobile is the same if I use all its security features. Example - I am not able to check for firewall/malware etc programs but we currently have a policy in place which does not allow browsing the Internet or access when end users have connections VPN tunnel on our site. That restriction will always be kept if this is possible thanks to the SSL VPN connection also.

    Thank you

    Paul

    The SSL VPN client-based license will remain active on your box through Software ASA updates later. AnyConnect Essentials (which you already have) will work with the feature of SSL VPN license.

    You would be upgrading to AnyConnect Premium only if you wanted to add features like clientless SSL VPN (purely based on a browser) or other items such as Advanced Endpoint Assessment (AEA). AnyConnect Premium can coexist with Anyconnect Essentials on the SAA even if you can't mix and match licenses Premium and Essentials.

    Essential distinction or Premium is mainly directed towards the installation of the ASA. The same AnyConnect Secure Mobility client software (version 3.1 is the latest for Windows and OS X and is quite a nice new version) is used in both cases. Functional additional client plug-ins are things such as the AEA and the NAC 802.1 x. Your group policies based on the SAA as no split tunneling, etc. remain in force.

    If you intend to allow clients of mobile devices (iPhone, iPad, and Android (a very limited support for the last BTW)) to access your VPN, you will need to add the mobile on the SAA AnyConnect license and install the client from the respective AppStore. Note that Windows Phone and Blackberry don't are not supported as client AnyConnect.

  • L2l VPN with public ip of the router and firewall with private IP

    Dear all,

    I have a requiremnt for site to site VPN configuration but the firewall on the remote end is not obtained public ip, public ip address is termintaed on the router. Please find the attached diagram

    LAN--> Firewall - privateip--> router-publicip - ISP

    How can I set up the site to site VPN tunnel, enjoy emergency assistance

    Thanks in advance...

    Mikael

    You can configure static NAT for 1:1 for the SAA outside interface with a spare public ip address of the router address.

    If you don't have spare public ip address, then you must configure static UDP/500 and UDP/4500 PAT on the router and enable NAT - T on the SAA.

  • VPN (remote access, ASA5520) with 2 clients, one with Internet and other without Internet

    Hello! I make a VPN with two clients, using the ASA5520 United Nations. Now I have to do what the customer has internet and the other does not. I can do using ACL? How?

    The configuration is:

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    IP 172.16.31.252 255.255.255.248

    interface GigabitEthernet0/1

    nameif inside

    security-level 100

    IP 172.16.1.237 255.255.255.240

    Access extensive list ip 172.16.1.224 ACLnonat allow 255.255.255.240 host 172.16.1.230

    Standard access list Split_tunnel allow 172.16.1.224 255.255.255.240

    IP local pool testpool 172.16.1.230 - 172.16.1.232 mask 255.255.255.240

    NAT (inside) 0-list of access ACLnonat

    Route outside 0.0.0.0 0.0.0.0 172.16.31.254 1

    Crypto ipsec transform-set esp-3des esp-md5-hmac hw_trans

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map dyn_map 1 transform-set hw_trans

    Crypto dynamic-map dyn_map 1 the value reverse-road

    stat_map 10000 card crypto ipsec-isakmp dynamic dyn_map

    stat_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 3600

    Crypto isakmp nat-traversal 30

    internal hw_policy group policy

    attributes of the strategy of group hw_policy

    value of server DNS 193.205.160.3

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list Split_tunnel

    Split-dns value 193.205.160.3

    username User1 encrypted password privilege 0 pqA3EDHB1cfLxwWn

    password username User2 FIQ1c02tX8lU1wHJ encrypted privilege 0

    attributes of user User2 name

    VPN-framed-ip-address 172.16.1.233 255.255.255.240

    allow password-storage

    type tunnel-group hwclients remote access

    tunnel-group hwclients General-attributes

    address testpool pool

    Group Policy - by default-hw_policy

    hwclients group of tunnel ipsec-attributes

    pre-shared key *.

    ISAKMP retry threshold 30 keepalive 5

    Thanks in advance.

    Hello Jose,.

    I see that you use LOCAL authentication, what you can do is, you can create another political group and link this political group for the user name, example:

    attributes of group PALLET policy

    Split-tunnel-policy tunnelall

    name of User1 user attributes

    RANGE of VPN-group-policy

    The other username will use hw_policy, since it is the default value for the tunnel-group hwclients.

    HTH

    AMatahen

  • How can I get rid of the horible e-mail client in windows 8 and get my good old hotmail e-mail client return

    I loaded the upgrade of windows 8 on a whole new system of 64-bit using an i3 processor. I must say that I don't like. It is very difficult to find a way to control and authoritarian. This applies of course to the messaging client provided with the system and forces to use it. I would like to use the Hotmail client I've used for years. He is comfortable and does everything I want to do. When I want a customer, I want to make the choice. I don't want Microsoft dictating to me. I paid for the program. I have the strings. If Microsoft doesn't like it, I'll go to Mozilla. Just so others don't feel shy Microsoft to say what they think of widows 8, I have been a pro since 1970 of the software and hardware computer.

    You don't have to use the built-in Mail app to access your Hotmail account. Other options include the use of webmail (a web browser such as Internet Explorer or Firefox) or program free Microsoft mail, Windows Live Mail available from:

    http://windows.microsoft.com/en-GB/windows-live/essentials-other-programs .

    If you want to spend the money, then Microsoft Office Outlook is another option.

  • client vSphere 5.0 and Windows 8.1

    Hello.

    I can't install vpshere clinet 5.0 on windows 8.1

    This product cannot be installed on Windows XP SP2 and higher

    This solution does not work for me:

    http://KB.VMware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2069264


    And I heard if I download vsphere client 5.0 update 3 can I install it on the 8.1 but I question:


    If my vsphere is 5.0 and I connect to it with client 5.0 update 3 is it OK?

    Customer is 5.0 U3 not spoil with vsphere 5.0?



    Yes vsphere client is backward compatible...

    You can check compatibility here:

    VMware product interoperability matrices

  • Public beta of El Capitan and playback full screen

    Read full screen has completely broken for me as soon as I upgraded (2015). It will work once after shooting to the top of the application, and then control-tilde is to select the window of the program (with the frozen video, but audio playback). Enters the main features again (or Esc) brings back 'local' playback Which tells me, is that the key command is doing its part, but PP refuses to move this window.

    I'm also under El Capitan (public) beta. I tested on another HDD PP with the FIRST iteration of the EC beta, and there are no problems with the mode full screen. If beta 2 broken this and it remains still broken since Beta 5.

    I erased from my hard drive and completely installed THIS and fresh PP, but no luck. MacBook Pro running 6.1 (CUDA does not apply). Any thoughts?

    Your answer is WRONG. A Macbook Pro 6,1 does not use the GPU acceleration. Yes, it's a question of El Capitan. As I already said. But as I scoured the web and not found someone else noting this issue, I wanted the hope that someone had discovered a workaround solution. (Other that quitting and restarting PP.)

    EDIT: Turns out there IS a workaround. I'm not an MVP, but I thought about it. A double click on the program window title bar, it supports full screen. Double click on restore even it regular size. It is good enough until Apple or Adobe fixes this problem properly.

  • Client VMware View Horizon and high DPI screens

    Hello

    I wonder if anyone has a solution for getting the customer view play nice with high DPI screens like those with screen resolution 3200 x 1800, or Apple 2880 x 1800 on the retina of Macbook 15 "screen resolution. View client does not seem to evolve properly, and the only solution seems to be to change the desktop screen resolution and then connecting display. I don't think that it is a very graceful difficulty, and my users are not too happy about it either.

    Thank you

    Ryan

    Hello

    Horizon customer 3.4 has experimental support for higher resolutions. It worked just great for me!

    By KevinK: http://www.kevink.org/?p=195

    JP

Maybe you are looking for

  • El Capitan difficulties - Ete.Check need help!

    Help, please... Since download El Capitan my computer has been running very, very slowly, google chrome, safari and MS words, among other applications always seem to be crashing and even my info iCloud sometime seem to be compromised and I had to res

  • DeskJet 3630:3630 - change of wifi

    How can I change the WiFi on my deskjet printer 3630? Currently, my computer and iphone can't find me to re - set up. There is no port of the printer to connect an ethernet cable and the parameters of the computer won't let me not specify an address

  • How can I reload gear photo studio was already preinstalled, but I lost through a system restore

    I woul want to reinstall picturegear studio on my vaio? all ideas

  • kernel mode driver error handler

    For the last few days, right after that I get the message of welcome during Windows startup, I can get a box that appears and says "Kernel Mode Driver Manager has encountered a problem and needs to close", then he gives me a choice to send an error r

  • M7557C crashes when accessing 2nd SATA drive

    I'm running Windows 7 on a M7557C. The o/s is loaded on the SATA drive of 320 GB supplied with the system. I have 2 SATA drives. Both show 100% health using Hard Drive Sentinel. If I have one of them connect via a connector, SATA 2, data access works