Hi Niklas
Done. Thanks
Rory
Niklas Gustavsson wrote:
Thanks, making that settable makes a lot of sense. Would you mind
doing the same thing for the KeyManager as that would make client auth
possible? At least I'm not able to get it working without one :-)
I'm attaching the patch I use for the client auth tests in FtpServer.
/niklas
Rory Winston wrote:
Niklas
The current FTPSTrustManager implementation is a little bit sketchy -
maybe we could default to a more comprehensive validity check. I have
added the facility to plug in a custom trust manager to the
FTPSClient, as follows:
FTPSClient client = new FTPSClient();
client.setTrustManager(new X509TrustManager() {
public void checkClientTrusted(X509Certificate[]
chain, String authType) throws CertificateException {
...
}
public void checkServerTrusted(X509Certificate[]
chain, String authType) throws CertificateException {
...
}
public X509Certificate[] getAcceptedIssuers() {
...
}
});
Thanks for the patch, by the way.
Cheers
Rory
Niklas Gustavsson wrote:
Hi
I'm trying to create tests for client authentication for Apache
FtpServer. For this I'm using commons-net as the client but is
running into problems with the client auth support in FTPSClient.
I'm setting setNeedClientAuth(true) but still get problems due to
FTPSClient sending a null certificate chain. How should I set up my
keystore so that FTPSClient finds it and can use it to send the
correct certificate to the server for authentication? I've tried
with the javax.net.ssl.keyStore system property but to no avail.
Also, if I understand the current implementation of FTPSClient and
FTPSTrustManager. From what I can understand, the implementation
only checks if the service certificate is valid, not if it's
trusted. Is this correct? If so, this would probably be a security
issue in that a fake server serving up any valid certificate would
be trusted by the client. Is this the intended behavior?
/niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
Index: src/main/java/org/apache/commons/net/ftp/FTPSClient.java
===================================================================
--- src/main/java/org/apache/commons/net/ftp/FTPSClient.java (revision
479111)
+++ src/main/java/org/apache/commons/net/ftp/FTPSClient.java (working copy)
@@ -23,6 +23,7 @@
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
+import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocketFactory;
@@ -80,6 +81,9 @@
/** The FTPS [EMAIL PROTECTED] TrustManager} implementation. */
private TrustManager trustManager = new FTPSTrustManager();
+ /** The [EMAIL PROTECTED] KeyManager} */
+ private KeyManager keyManager;
+
/**
* Constructor for FTPSClient.
* @throws NoSuchAlgorithmException A requested cryptographic algorithm
@@ -194,10 +198,10 @@
planeSocket = _socket_;
try {
- context.init(null, new TrustManager[] {
getTrustManager() } , null);
- } catch (KeyManagementException e) {
- e.printStackTrace();
- }
+ context.init(new KeyManager[] {keyManager}, new TrustManager[] {
getTrustManager() } , null);
+ } catch (KeyManagementException e) {
+ e.printStackTrace();
+ }
SSLSocketFactory ssf = context.getSocketFactory();
String ip = _socket_.getInetAddress().getHostAddress();
@@ -479,6 +483,22 @@
this.trustManager = trustManager;
}
+ /**
+ * Get the currently configured [EMAIL PROTECTED] KeyManager}.
+ *
+ * @return the keyManager
+ */
+ public KeyManager getKeyManager() {
+ return keyManager;
+ }
+
+ /**
+ * Set a [EMAIL PROTECTED] KeyManager} to use
+ *
+ * @param keyManager The KeyManager implementation to set.
+ */
+ public void setKeyManager(KeyManager keyManager) {
+ this.keyManager = keyManager;
+ }
-
}
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
