Uploaded image for project: 'Teiid'
  1. Teiid
  2. TEIID-4081

SSL - server accepts any client certificate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Blocker Blocker
    • None
    • 8.12.5
    • None
    • None
    • Hide

      VDB:

      <vdb name="test" version="1">
    <model name="Source" type="VIRTUAL">
        <metadata type="DDL">
            <![CDATA[
            create view SmallA (id integer PRIMARY KEY) as select 1;
            ]]>
        </metadata>
    </model>
</vdb>
      1. untrusted
        • Server's keystore - keystore_server.jks (keystore password - keystorepswd)
        • Server's truststore - truststore.jks (keystore password - truststorepswd)
        • Client's keystore - keystore_client_untrusted.jks (keystore password - keystorepswd)
        • Client's truststore - truststore.jks (keystore password - truststorepswd)
      2. expired
        • Server's keystore - keystore_server.jks (keystore password - keystorepswd)
        • Server's truststore - truststore.jks (keystore password - truststorepswd)
        • Client's keystore - keystore_client_expired.jks (keystore password - keystorepswd)
        • Client's truststore - truststore.jks (keystore password - truststorepswd)
      3. root expired
        • Server's keystore - keystore_server.jks (keystore password - keystorepswd)
        • Server's truststore - truststore_expired.jks (keystore password - truststorepswd)
        • Client's keystore - keystore_client_root_expired.jks (keystore password - keystorepswd)
        • Client's truststore - truststore.jks (keystore password - truststorepswd)

      keytool -list -keystore keystore_server.jks -storepass keystorepswd -v

      Show
      VDB: <vdb name= "test" version= "1" > <model name= "Source" type= "VIRTUAL" > <metadata type= "DDL" > <![CDATA[ create view SmallA (id integer PRIMARY KEY) as select 1; ]]> </metadata> </model> </vdb> untrusted Server's keystore - keystore_server.jks (keystore password - keystorepswd) Server's truststore - truststore.jks (keystore password - truststorepswd) Client's keystore - keystore_client_untrusted.jks (keystore password - keystorepswd) Client's truststore - truststore.jks (keystore password - truststorepswd) expired Server's keystore - keystore_server.jks (keystore password - keystorepswd) Server's truststore - truststore.jks (keystore password - truststorepswd) Client's keystore - keystore_client_expired.jks (keystore password - keystorepswd) Client's truststore - truststore.jks (keystore password - truststorepswd) root expired Server's keystore - keystore_server.jks (keystore password - keystorepswd) Server's truststore - truststore_expired.jks (keystore password - truststorepswd) Client's keystore - keystore_client_root_expired.jks (keystore password - keystorepswd) Client's truststore - truststore.jks (keystore password - truststorepswd) keytool -list -keystore keystore_server.jks -storepass keystorepswd -v

      In 2-way authentication mode client must provide to the server valid certificate. But Teiid accepts any certificate which client provides.

      • expired
      • untrusted
      • signed by certificate of root CA which already expired

      Teiid should reject such client's certificate and fail to establish connection.

      On the client side, paths are set using teiid-specific properties:

      System.setProperty("org.teiid.ssl.keyStore", clientKeystorePath);
System.setProperty("org.teiid.ssl.keyStorePassword", "keystorepswd");
System.setProperty("org.teiid.ssl.keyAlias", "client");
System.setProperty("org.teiid.ssl.keyPassword", "keystorepswd");
System.setProperty("org.teiid.ssl.trustStore", clientTruststorePath);
System.setProperty("org.teiid.ssl.trustStorePassword", "truststorepswd");

        1. keystore_client_expired.jks
          4 kB
        2. keystore_client_root_expired.jks
          4 kB
        3. keystore_client_untrusted.jks
          4 kB
        4. keystore_server.jks
          4 kB
        5. truststore_expired.jks
          0.9 kB
        6. truststore.jks
          0.9 kB

              rhn-engineering-shawkins Steven Hawkins
              jdurani Juraj Duráni (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: