I open a secure SSL socket for port 12345 on my server. I am currently using a self-signed certificate. I installed the certificate in the keystore and client client store; subtle, blah blah noise.
I built this example: http://www.exampledepot.com/egs/javax.net.ssl/Client.html
The client correctly checks whether the server has a signed certificate. The client does NOT seem to check that the CN (Common Name) certificate name provided matches the host name of the server I'm connecting to. Obviously, it is not difficult to get a signed certificate if there is no requirement that it matches the requested domain.
When I install my certificate (using keytool --import), do I install it as a certificate at the root level? Do I need to sign a second certificate using the primary key of the first certificate? Why does TrustManager not check the common name?
I hope this made sense, and I don't overdo it.
Thanks!
UPDATE: Looks like Java SSL might require manual certificate verification? ( http://www.java2s.com/Open-Source/Java-Document/Net/Apache-common-HttpClient/org/apache/commons/httpclient/contrib/ssl/StrictSSLProtocolSocketFactory.java.htm ) Is this really so? I expected that the default would be safe, and something less would require an explicit override. I am surprised. Can someone confirm?
source share