[QFJ-256] SSLContextFactory doesn't support custom trust stores Created: 02/Oct/07  Updated: 29/May/17  Resolved: 29/May/17

Status: Closed
Project: QuickFIX/J
Component/s: Networking
Affects Version/s: 1.3.0
Fix Version/s: 1.6.3

Type: Improvement Priority: Default
Reporter: James Furness Assignee: Marcin L
Resolution: Duplicate Votes: 1
Labels: None
Environment:

WinXP SP2, jdk1.5.0_11, QuickFIXJ 1.3.0


Issue Links:
Duplicate
duplicates QFJ-821 Quickfix/J Server should validate SSL... Closed

 Description   

SSLContextFactory is able to load a custom keystore into the KeyManagerFactory to send a certificate to the other party. However, it is not able to load a custom truststore into the TrustManagerFactory, instead it uses SimpleTrustManagerFactory which accepts any certificate sent by the other party.

This has no impact on the ability to connect since all connections will be accepted, however it seems to leave the connection open to a man-in-the-middle attack.

Although the chances of this happening are remote, it would be good to be able to specify a custom truststore.

This could be achieved by using TrustManagerFactory.getInstance(...) instead of SimpleTrustManagerFactory.X509_MANAGERS and specifying the trust store using system properties (As mentioned here http://www.nabble.com/SSL-with-QuickFIX-J-1.1.0-t3758073.html).

Alternatively, possibly better would be to use the existing configuration files, and load a configured trust store into the TrustManagerFactory something like this:

----------------
// initialise the TrustManagerFactory and load our keystore into it
trustManagerFactory = TrustManagerFactory.getInstance(trustAlgorithm);

FileInputStream trustInputStream = new FileInputStream(trustFile);
KeyStore keystore = KeyStore.getInstance("jks");
keystore.load(trustInputStream, trustPass.toCharArray());
trustInputStream.close();

// Initialise TrustManagerFactory with this KeyStore
trustManagerFactory.init(keystore);
----------------

This can then be passed to SSLContext.init() instead of SimpleTrustManagerFactory.X509_MANAGERS.

Thanks,
James


Generated at Sat Nov 23 07:34:17 UTC 2024 using JIRA 7.5.2#75007-sha1:9f5725bb824792b3230a5d8716f0c13e296a3cae.