Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 345655

Summary: Remove PKIX Validation performed on Server certificate
Product: [RT] Jetty Reporter: Chad La Joie <clajoie>
Component: serverAssignee: Michael Gorovoy <mgorovoy>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: gregw, gunnar, jetty-inbox, mgorovoy
Version: unspecified   
Target Milestone: 7.2.x   
Hardware: PC   
OS: Mac OS X - Carbon (unsup.)   
Whiteboard:

Description Chad La Joie CLA 2011-05-12 16:05:32 EDT 
Build Identifier: 7.3.1

The SslContextFactory#createSSLContext method attempts to validate the server's end-entity certificate.  In general servers don't do this because the resulting answer is meaningless.  It's up to the client to decide whether they trust the server's certificate.  In addition, if the server uses a self-signed certificate this check is going to fail.  I recommend removing it all together.

Reproducible: Always
Comment 1 Michael Gorovoy CLA 2011-05-12 20:55:45 EDT 
Validation of the server's SSL certificate is mandated in high security environments that require validating the certificate before connector is started to ensure that it's certification path contains only trusted intermediate Certificate Authorities, that it is already valid, has not expired, and hasn't been revoked.

We will address the issue that the server's SSL certificate validation is coupled with client certificate validation in bug 345656.
Comment 2 Chad La Joie CLA 2011-05-12 21:07:35 EDT 
It's fine to keep it, but just to be clear, that check in no way effects security. It is entirely meaningless except, perhaps, for debug purposes.
Comment 3 Greg Wilkins CLA 2011-05-16 23:33:17 EDT 
Chad,

it does affect security a little bit... if only in a human factors way.   If you are able to start a server with known invalid certificates, then users are often dumb enough to just accept the warnings and add a security exception to their browsers.

cheers