[jira] Commented: (DERBY-2803) SSL certificate authentication succeeds unexpectedly

[Bernt M. Johnsen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DERBY-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12506463
 ] 

Bernt M. Johnsen commented on DERBY-2803:
-----------------------------------------

I did not get any response on my last comment on this one. Should something be 
done with the docs or should this issue be closed?

> SSL certificate authentication succeeds unexpectedly
> ----------------------------------------------------
>
>                 Key: DERBY-2803
>                 URL: https://issues.apache.org/jira/browse/DERBY-2803
>             Project: Derby
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.3.0.0
>            Reporter: Rick Hillegas
>            Assignee: Bernt M. Johnsen
>             Fix For: 10.3.0.0
>
>
> The following bug report may simply be pilot error. I confess that I am 
> having a hard time understanding the user documentation for this feature. The 
> user documentation is found in the Derby Admin guide in the section titled 
> "SSL/TLS". My confusion arises from the fact that sometimes the documentation 
> talks about 3 SSL states (none, basic, peer) and sometimes the documentation 
> talks about 4 SSL states (none, basic, client certificate, server 
> certificate).
> I tried running an experiment in which the server was setup for "Basic SSL 
> encryption":
> 1) I successfully connected to the server when the client was setup for 
> "Basic SSL encryption". This I expected so good.
> 2) I also successfully connected to the server when the client was setup for 
> "peer (server) authentication". This confused me because the client url was 
> requesting peer authentication but the server was booted with just basic ssl 
> authentication. That is, the client url requested "ssl=peerAuthentication" 
> but the server startup line requested "ssl=basic". I was surprised that the 
> two sides of the connection didn't have to agree on how much authentication 
> was going to be done.
> 3) I also successfully connected to the server when the client was setup for 
> "peer authentication on both sides". This really confused me: It seemed to me 
> that there were 2 certificates involved, but the server, via its startup 
> properties, should only have been aware of one of these certificates, viz., 
> the certificate identified by the javax.net.ssl.keyStore properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.