329746 – Jetty Client - HTTPS: Impossible to set only a truststore to the Jetty client

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 329746 - Jetty Client - HTTPS: Impossible to set only a truststore to the Jetty client

Summary: Jetty Client - HTTPS: Impossible to set only a truststore to the Jetty client

Status:	CLOSED FIXED

Alias:	None

Product:	Jetty
Classification:	RT
Component:	client (show other bugs)
Version:	7.2.0
Hardware:	All All

Importance:	P3 enhancement (vote)
Target Milestone:	7.1.x
Assignee:	Jesse McConnell
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-11-09 04:55 EST by nicolas.oddoux
Modified:	2011-01-12 12:26 EST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description nicolas.oddoux

2010-11-09 04:55:22 EST

It is not possible to set only a truststore to the Jetty client (without a keystore). 

In some cases a HTTP client check certificates from HTTPS server but the HTTPS server do not want to authenticate the client. Consequently it must be possible to set only a truststore to the Jetty client. It is the case on all the e-commerce websites (the web browser authenticates the e-commerce website thanks to its certificate but the client is not authenticated by the e-commerce website). 

Currently when only the truststore parameters are set (following code), all the server certificates are accepted. It should not be the case, only the certificates in the truststore should be accepted.

final HttpClient client = new HttpClient();
	
client.setTrustStoreLocation("/home/user/clientTruststore.jks");
client.setTrustStorePassword("password");
client.setTrustStoreType("JKS");
client.start();
			
ContentExchange exchange = new ContentExchange();
exchange.setMethod("POST");
exchange.setURL("https://localhost:8083/petals/services/TestServiceHTTPSByPetals");
exchange.setRequestContentSource(is);

client.send(exchange);
exchange.waitForDone();
client.stop();

Comment 1 Jesse McConnell

2011-01-12 12:20:53 EST

hm, this would be because currently the getSSLContext() method checks for the presence of keystore location and keystore input stream to determine if it needs to use the Strict or Loose ssl context...

so your falling subject to loose ssl context when no keystore is specificed

when making the strict ssl context we check to see if the trust store has been set and if not then we default it to the set keystore

So one option to get around this right away would be to set your truststore as the keystore as well, or specify a keystore with nothing in it.

that being said, I'll commit something in a bit that reworks this so a strict ssl context is used if either a keystore or a truststore is set.

I'll keep the existing bit about the keystore being used as trust store if trust store doesn't exist but add in the ability to specify just the trust store.

should be committed once these tests have finished running

Comment 2 Jesse McConnell

2011-01-12 12:26:06 EST

[rune]trunks/jetty> svn commit -m "Bug 329746 client option to set just truststore and use strict ssl context" jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java VERSION.txt
Sending        VERSION.txt
Sending        jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
Transmitting file data ..
Committed revision 2655.

should be available in jetty-7.3.0 release coming up in a couple of weeks