Sample Code: SSLSocketClientWithClientAuth.java

Justification: The ###@###.### has had repeated questions
                regarding this example.

Problem: -Djavax.net.trustStore is not consulted when
                establishing a source of trust.

Workaround: Install the $JSSE_HOME/samples/samplecacerts into
                $JAVA_HOME/lib/security/jssecacerts or
                $JAVA_HOME/lib/security/cacerts

Background:

The Java 2 JKS keystore file format allows for two different types of
keys to be stored.

        "keyEntry"
                is a certificate entry that contains a public/private
                key pair. In JSSE, keyEntry's are primarily used for
                signing messages, but can also be used for establishing
                the basis for trust decisions. (However, this implies
                that the client and server are using the same
                keystore.)

        "trustedCertEntry"
                is a certificate entry that contains an entity's public
                key. These entries are added to the keystore only
                after someone has decided to trust these certificates.
                These entries are then used as the basis for other
                trust decisions.

Certificates are used in two different aspects of JSSE handshake
negotiations. When one entity wishes to identify itself to another, it
does so by using cryptographic algorithms and selecting a
public/private key combination in a "keyEntry" certificate.

When the second entity receives the message containing a certificate,
it must examine the presented certificate and decide if it chooses to
trust the sender. The "trustedCertEntry" certificates are used as a
basis of trust.

Explanation:

In Sun's Reference Implementation of JSSE ver 1.0 and 1.0.1, there are
three ways to specify a trusted keystore:

        1) the file specified by the system property javax.net.ssl.trustStore,
        2) <java-home>/lib/security/jssecacerts, then
        3) <java-home>/lib/security/cacerts

There is a code path in the TrustManagerFactory code in which the
javax.net.ssl.trustStore option does not get consulted. If
com.sun.net.ssl.TrustManagerFactory.init() is called with a null
parameter, the code only consults jssecacerts and cacerts. Note that
if SSLContext.init() is called with a null TrustManager parameter,
TrustManagerFactory.init(null) is then called, leading to the same symptom.

A bug has been filed, and will be addressed in a future release of
JSSE. Please see the workaround above.
~


Name: skT45625 Date: 06/16/2000


I'm running a quite simple example that uses JSSE. when I try to set cacerts
file path using javax.net.ssl.trustStore system property (e.g.: adding
-Djavax.net.ssl.trustStore=E:\infoReach\SSLExample\cfg\mycacerts to command
line), it doesn't work. Seems it's simply ignored, I can pass anything in this
property, no errors will happen. My example cacerts file is fine, when I put it
in
<JavaHome>\lib\security\ as cacerts or jssecacers my example works fine!

  


I think any client/server SSL example that uses home-made cacerts file will do.
trace information says that server's certificate is unknown
(Review ID: 106175)
======================================================================