Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 329746

Summary: Jetty Client - HTTPS: Impossible to set only a truststore to the Jetty client
Product: [RT] Jetty Reporter: nicolas.oddoux
Component: clientAssignee: Jesse McConnell <jesse.mcconnell>
Status: CLOSED FIXED QA Contact:
Severity: enhancement    
Priority: P3 CC: jesse.mcconnell, jetty-inbox
Version: 7.2.0   
Target Milestone: 7.1.x   
Hardware: All   
OS: All   
Whiteboard:

Description nicolas.oddoux CLA 2010-11-09 04:55:22 EST 
It is not possible to set only a truststore to the Jetty client (without a keystore). 

In some cases a HTTP client check certificates from HTTPS server but the HTTPS server do not want to authenticate the client. Consequently it must be possible to set only a truststore to the Jetty client. It is the case on all the e-commerce websites (the web browser authenticates the e-commerce website thanks to its certificate but the client is not authenticated by the e-commerce website). 

Currently when only the truststore parameters are set (following code), all the server certificates are accepted. It should not be the case, only the certificates in the truststore should be accepted.

final HttpClient client = new HttpClient();
	
client.setTrustStoreLocation("/home/user/clientTruststore.jks");
client.setTrustStorePassword("password");
client.setTrustStoreType("JKS");
client.start();
			
ContentExchange exchange = new ContentExchange();
exchange.setMethod("POST");
exchange.setURL("https://localhost:8083/petals/services/TestServiceHTTPSByPetals");
exchange.setRequestContentSource(is);

client.send(exchange);
exchange.waitForDone();
client.stop();
Comment 1 Jesse McConnell CLA 2011-01-12 12:20:53 EST 
hm, this would be because currently the getSSLContext() method checks for the presence of keystore location and keystore input stream to determine if it needs to use the Strict or Loose ssl context...

so your falling subject to loose ssl context when no keystore is specificed

when making the strict ssl context we check to see if the trust store has been set and if not then we default it to the set keystore

So one option to get around this right away would be to set your truststore as the keystore as well, or specify a keystore with nothing in it.

that being said, I'll commit something in a bit that reworks this so a strict ssl context is used if either a keystore or a truststore is set.

I'll keep the existing bit about the keystore being used as trust store if trust store doesn't exist but add in the ability to specify just the trust store.

should be committed once these tests have finished running
Comment 2 Jesse McConnell CLA 2011-01-12 12:26:06 EST 
[rune]trunks/jetty> svn commit -m "Bug 329746 client option to set just truststore and use strict ssl context" jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java VERSION.txt
Sending        VERSION.txt
Sending        jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
Transmitting file data ..
Committed revision 2655.

should be available in jetty-7.3.0 release coming up in a couple of weeks