probing for server certificates in guanxi

Wed, Jul 26, 2006

I’m so fed up with truststores and exporting server certificates and importing them into truststores that I’ve now added probing to the Guanxi SSL layer. What does this mean? It means Guanxi now has a means to probe a server via HTTPS to extract it’s X509 certificate. Normally the JVM will reject the server if it can’t find it’s certificate when using the normal, or I should say custom, Guanxi TrustManager.

So I’ve added probing to the EntityConnection. When in probing mode, the new GuanxiX509ProbingTrustManager is used which allows a connection to be made to a server via HTTPS but without verifing the server’s certificate. Obviously, one should use the probing with care and not when in full shibboleth mode. However, it provides a way for the internal web services to grab the server’s cert, add it to their truststore and install themselves, all without any input from the user!

comments powered by Disqus