1

I have a client/server process with one server and one client.

The connect setup looks like:

System.setProperty("javax.net.ssl.trustStore", "path/to/store"); 
System.setProperty("javax.net.ssl.trustStorePassword", "passwd");
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
sslsocket = (SSLSocket) sslsocketfactory.createSocket(InetAddress.getLocalHost(), port);

1:1, this works fine. Now I am expanding it such that the server is listening on multiple ports for multiple clients. Each client that connects to the server should do so on a specific port with a specific truststore.

If I register two trust stores on the server side, when I try to make the client connection I get the error:

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown Received fatal alert: certificate_unknown

I've been looking through stack overflow for an example, but everything seems overly complicated. Is there a simple way to manage this? Or a compelling reason that one process shouldn't use multiple key stores?

Roman C
  • 49,761
  • 33
  • 66
  • 176
  • Why? Either a certificate is trusted or it isn't.ports have nothing to do with it. It sounds as though you are trying to use authentication as a means of enforcing authorization, with different ports having different authorization requirements. That's not what PKI authentication is for. – user207421 Jan 10 '13 at 20:48
  • You are right, I was hoping that each client would be able to connect with a different keystore and password to keep the two clients as separate as possible. Perhaps some kind of authorization setup would be more appropriate –  Jan 11 '13 at 21:07

1 Answers1

1

I don't think using your method this is possible. Since you are setting a system property (which is a hashtable), the last one you write will overwrite the earlier ones.

But also, I do not understand the usecase. In general truststore is a client side concept. It is about determining what server to trust. Most of the time (unless you are using certificate based authentication) a client's trustworthiness is not relevant.

Having said this, it is possible to set different keystores for different ports. In tomcat, for instance

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="${user.home}/.keystore1"
       keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS" />

The above snippet states that on port 443 ~/.keystore1 should be used. On another port, keystore2 could be used.

Should you want to use client authentication, you can force the client to send a certificate, in the above example by setting clientAuth to true, and adding truststoreFile and truststorePass.

Digging in tomcat's source code may help you in setting up your environment. In particular the file java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java will perhaps have exactly what you want.

Virtually Real
  • 1,572
  • 4
  • 16
  • 20