Thanks, making that settable makes a lot of sense. Would you mind doing
the same thing for the KeyManager as that would make client auth
possible? At least I'm not able to get it working without one :-)
I'm attaching the patch I use for the client auth tests in FtpServer.
/niklas
Rory Winston wrote:
Niklas
The current FTPSTrustManager implementation is a little bit sketchy -
maybe we could default to a more comprehensive validity check. I have
added the facility to plug in a custom trust manager to the FTPSClient,
as follows:
FTPSClient client = new FTPSClient();
client.setTrustManager(new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
...
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
...
}
public X509Certificate[] getAcceptedIssuers() {
...
}
});
Thanks for the patch, by the way.
Cheers
Rory
Niklas Gustavsson wrote:
Hi
I'm trying to create tests for client authentication for Apache
FtpServer. For this I'm using commons-net as the client but is running
into problems with the client auth support in FTPSClient. I'm setting
setNeedClientAuth(true) but still get problems due to FTPSClient
sending a null certificate chain. How should I set up my keystore so
that FTPSClient finds it and can use it to send the correct
certificate to the server for authentication? I've tried with the
javax.net.ssl.keyStore system property but to no avail.
Also, if I understand the current implementation of FTPSClient and
FTPSTrustManager. From what I can understand, the implementation only
checks if the service certificate is valid, not if it's trusted. Is
this correct? If so, this would probably be a security issue in that a
fake server serving up any valid certificate would be trusted by the
client. Is this the intended behavior?
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Index: src/main/java/org/apache/commons/net/ftp/FTPSClient.java
===================================================================
--- src/main/java/org/apache/commons/net/ftp/FTPSClient.java (revision
479111)
+++ src/main/java/org/apache/commons/net/ftp/FTPSClient.java (working copy)
@@ -23,6 +23,7 @@
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
+import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocketFactory;
@@ -80,6 +81,9 @@
/** The FTPS [EMAIL PROTECTED] TrustManager} implementation. */
private TrustManager trustManager = new FTPSTrustManager();
+ /** The [EMAIL PROTECTED] KeyManager} */
+ private KeyManager keyManager;
+
/**
* Constructor for FTPSClient.
* @throws NoSuchAlgorithmException A requested cryptographic algorithm
@@ -194,10 +198,10 @@
planeSocket = _socket_;
try {
- context.init(null, new TrustManager[] {
getTrustManager() } , null);
- } catch (KeyManagementException e) {
- e.printStackTrace();
- }
+ context.init(new KeyManager[] {keyManager}, new TrustManager[] {
getTrustManager() } , null);
+ } catch (KeyManagementException e) {
+ e.printStackTrace();
+ }
SSLSocketFactory ssf = context.getSocketFactory();
String ip = _socket_.getInetAddress().getHostAddress();
@@ -479,6 +483,22 @@
this.trustManager = trustManager;
}
+ /**
+ * Get the currently configured [EMAIL PROTECTED] KeyManager}.
+ *
+ * @return the keyManager
+ */
+ public KeyManager getKeyManager() {
+ return keyManager;
+ }
+
+ /**
+ * Set a [EMAIL PROTECTED] KeyManager} to use
+ *
+ * @param keyManager The KeyManager implementation to set.
+ */
+ public void setKeyManager(KeyManager keyManager) {
+ this.keyManager = keyManager;
+ }
-
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]