[QFJ-256] SSLContextFactory doesn't support custom trust stores Created: 02/Oct/07 Updated: 29/May/17 Resolved: 29/May/17 |
|
Status: | Closed |
Project: | QuickFIX/J |
Component/s: | Networking |
Affects Version/s: | 1.3.0 |
Fix Version/s: | 1.6.3 |
Type: | Improvement | Priority: | Default |
Reporter: | James Furness | Assignee: | Marcin L |
Resolution: | Duplicate | Votes: | 1 |
Labels: | None | ||
Environment: |
WinXP SP2, jdk1.5.0_11, QuickFIXJ 1.3.0 |
Issue Links: |
|
Description |
SSLContextFactory is able to load a custom keystore into the KeyManagerFactory to send a certificate to the other party. However, it is not able to load a custom truststore into the TrustManagerFactory, instead it uses SimpleTrustManagerFactory which accepts any certificate sent by the other party. This has no impact on the ability to connect since all connections will be accepted, however it seems to leave the connection open to a man-in-the-middle attack. Although the chances of this happening are remote, it would be good to be able to specify a custom truststore. This could be achieved by using TrustManagerFactory.getInstance(...) instead of SimpleTrustManagerFactory.X509_MANAGERS and specifying the trust store using system properties (As mentioned here http://www.nabble.com/SSL-with-QuickFIX-J-1.1.0-t3758073.html). Alternatively, possibly better would be to use the existing configuration files, and load a configured trust store into the TrustManagerFactory something like this: ---------------- FileInputStream trustInputStream = new FileInputStream(trustFile); // Initialise TrustManagerFactory with this KeyStore This can then be passed to SSLContext.init() instead of SimpleTrustManagerFactory.X509_MANAGERS. Thanks, |