In looking through some of the code, it does appear that the TrustManagerFactory (factory which determines whether client certificates are valid) is initialized from the same keystore file that the KeyManagerFactory (store which contains server cert) is based from. So if you put your CA public x509 certificates in there, it should pick them up from there.
One thing that would be good is to allow for a different SSL implementation. Though it is an interface (ISsl) that is implemented by SSL, there is no way to change the implementation used. Locally, I've tried changing FtpSocketFactory to read an additional ssl-impl element out of the ssl configuration to use my own LdapSsl ISsl implementation that will allow me to specify a separate truststore file and to also integrate with an LDAP CertStore for CRL checking. I'm still in a work in progress, but will report back if I can get client authentication working properly. Without any of these changes, I think I did get client authentication working, but in that case, I think I had put the client's certificate into my keystore file (same one which held my server certificate). Gary -----Original Message----- From: Gusti Benawi [mailto:[EMAIL PROTECTED] Sent: Thursday, October 26, 2006 8:43 AM To: [email protected] Subject: Re: FTP client validation question > I'm not sure I understand why you need to use all these steps. All you > need are a standard JKS keystore and truststore. FtpServer uses the > normal JSSE support in the JRE so I don't believe we do anything funky > (but I might be missing something). you said what i need is a standard keystore and truststore. IIRC, truststore is a file in which certificate of the clients are saved? Also in the ftp configuration, i can define where the keystore file should be used, but there is no option for truststore, so where is this supposed to be done? If the server need the client-authentication, what is the server expecting to receive from the client? i tried to set the client to feed it a file containing private key and certificate in pem format, which is already imported in the keystore, but it i have no luck at all. Since Rana wrote that the client-authentication has not been tested at all, could it be that the client-authentication does not work as it is expected at all? thank you in advance, Gusti Benawi _____________________________________________________ Free eMail - kostenlose eMail Adressen: cyy.de - e-mail.sg - mails.sg www.cyy.de Webmailservice
