0

When creating an SSL connection using Java we first initialize an SSLContext with our KeyStores and TrustStores. SSLContext in javax.net.ssl has a method called createSSLEngine() to create an SSLEngine. So when creating a session for the connection, the created SSLEngine will be used. My question is at which point of SSL protocol the keyManagers and TrustManagers from the KeyStores and TrustStores be used?

Thanks in advance.

Jeewantha
  • 965
  • 1
  • 11
  • 28
  • 1
    This is all described pretty clearly in the [JSSE Reference Guide](http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html). What part are you having trouble with? – user207421 Feb 27 '13 at 09:37
  • I need to know whether the usage of Trust stores is implemented in SSLEngine? If so how? Im asking this question because when I get the certificate chain from the client, the root certificate in the chain must be in the Truststore to make an SSL connection. I am not sure if this is implemented in SSL implementations in Java. – Jeewantha Feb 27 '13 at 10:16
  • 1
    It is. The SSLEngine performs the SSL handshake, verifies the peer certificates via the TrustManager, and makes an SSLSession containing the peer certificate available to the application. That's why the SSLEngine is created from an SSLContext, which has KeyManagers and TrustManagers. – user207421 Feb 27 '13 at 21:34

1 Answers1

1

During the SSL handshake while establishing mutual trust and authenticity and creating an SSL session.

As to your send question, the standard JSSE trust manager considers a certificate chain trusted if at least one cert in the chain is trusted. It does not have to be the root cert. If you are absolutely sure that you have to establish validity and authenticity of the root cert, you should implement a custom TrustManager and use it instead of the default implementation.

ok2c
  • 26,450
  • 5
  • 63
  • 71