[teiid-issues] [JBoss JIRA] (TEIID-4080) SSL - client accepts server's certificate even if server's root CA is expired
[
https://issues.jboss.org/browse/TEIID-4080?page=com.atlassian.jira.plugin...
]
Steven Hawkins updated TEIID-4080:
----------------------------------
Issue Type: Enhancement (was: Bug)
Priority: Major (was: Blocker)
This is not a bug, but an enhancement. Just like Postgres our default has been to not
validate certificates. It would take new settings to require validation similar to the
verify-ca / verify-full.
SSL - client accepts server's certificate even if server's
root CA is expired
-----------------------------------------------------------------------------
Key: TEIID-4080
URL: https://issues.jboss.org/browse/TEIID-4080
Project: Teiid
Issue Type: Enhancement
Affects Versions: 8.12.5
Reporter: Juraj DurĂ¡ni
Assignee: Steven Hawkins
Attachments: keystore_client.jks, keystore_server_root_expired.jks,
truststore.jks, truststore_expired.jks
If SSL is enabled (1-way or 2-way) server provides to the client certificate which must
be signed by valid certificate of trusted CA.
If server provides certificate which is signed by certificate of root CA which already
expired client accepts this certificate. Client should not accept such certificate.
This affects 1-way and 2-way authentication modes.
On the client side, paths are set using teiid-specific properties:
{code:java}
System.setProperty("org.teiid.ssl.keyStore", clientKeystorePath);
System.setProperty("org.teiid.ssl.keyStorePassword",
"keystorepswd");
System.setProperty("org.teiid.ssl.keyAlias", "client");
System.setProperty("org.teiid.ssl.keyPassword", "keystorepswd");
System.setProperty("org.teiid.ssl.trustStore", clientTruststorePath);
System.setProperty("org.teiid.ssl.trustStorePassword",
"truststorepswd");
{code}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)