0

I'm writing a program to simulate a secure connection over SSL sockets. I want the client to import certificates that are not trusted (and hence not in its truststore) at their own discretion through an interface. These certificates are self-signed.

So far I have hit a wall, where the program crashes and reports Received fatal alert: certificate_unknown due to the fact that the server certificate doesn't reside in the client truststore.

I am simulating the connection locally. I've found examples where truststore managers are used explicitly to override all SSL checking, but this is wide open to MITM attacks.

I need to wrap the truststore manager implementation in some way to make it secure, and ensure server certificates are validated. The link here gives a good example of an open implementation, but I don't know how to wrap it securely.

In the case of the trustmanager implementation it will still fire a CertificateException when it locates an untrusted certificate (from its checkServerTrusted method), do I have to handle the exception yet continue execution of the program from there? I'm very unsure how to tackle this secure wrapping.

Many thanks all

Community
  • 1
  • 1
user1272525
  • 95
  • 6
  • 1
    The thing is that using self-signed certificates is also vulnerable to MITM attacks – andrershov Nov 13 '13 at 19:01
  • @andrershov Is that part of the underlying Java implementation of the library or the cipher suite type? Ultimately I want to make it more secure than open SSL connections – user1272525 Nov 13 '13 at 19:06
  • Where is a problem, when you're distributing self-signed certificate. There is a risk of MITM attack during distribution. But I agree when the client has a server certificate and he is sure that it's not faked, the connection would be secure – andrershov Nov 13 '13 at 19:18
  • Yes. I'm mimicking self-signed certificates from trusted and malicious parties. There will be a stage where the client needs to accept a genuine self-signed certificate, but it will originally be untrusted, and that's my dilemma. – user1272525 Nov 13 '13 at 19:31
  • 1
    Do you _really_ need to use self-signed certificates? It's quite easy (and free) to obtain a certificate at [CAcert](http://www.cacert.org/). – Steinar Nov 13 '13 at 20:02

0 Answers0