Certificate Validation

Steve_Reichert · November 3, 2004, 9:17pm

The current implementation of Smack (1.4.0) in SSLXMPPConnection, uses a default X509TrustManager, DummyTrustManager, that basically performs date validation.

Is there a way, or could a means be provided, that would allow us to implement our own "isServerTrusted() method? This would allow us to perform both more, or less validation.

Thanks,

Steve

matt · November 3, 2004, 9:20pm

Steve,

At the moment, your best bet would be to make your own version of SSLXMPPConnection based on the existing class. However, if you provide some more detail about the behavior you’‘re looking for, perhaps we could build that in as a standard option. For example, the SSL module could require that the cert chain be trusted according to the root CA’'s installed into the Java runtime.

Regards,

Matt

Steve_Reichert · November 3, 2004, 10:00pm

Matt,

Our situation is this: We’‘re deploy our client software to remote clients that in some cases have their date/time set days/months/years before the certificate is valid. Not exactly what we want to do, but in some cases it’‘s what happens. Since they’‘re remote, it’‘s not quite as easy as correcting the date/time on a desktop system. Also, we’'re in the process of syncing them with a time server, but that too is taking time.

So, I believe what we would like to do is probably supply our own custom X509TrustManager that also adhered to your interface (implement the required methods) that would allow us to bypass the date validation. Alternately if you provided a way to bypass it, that would work as well.

Thanks,

Steve

matt · November 3, 2004, 10:22pm

Steve,

I’'ll file a feature request to make this logic more pluggable.

Thanks,

-Matt

Steve_Reichert · November 4, 2004, 2:55pm

Matt,

Thanks for the update. When do you think this will be available? Will this be included in the next version of Smack (1.5.0)?

I’‘m trying to determine whether or not I need to alter the check in the current version (1.4.0) that we’'re using for the short term.

Thanks agin.

Steve

Steve_Reichert · November 4, 2004, 4:30pm

Matt,

Looks like I can track this through projects/issues portion of the web site. I see that SMACK-27 is this issue.

By the way, I hadn’‘t spent much time in this area of your site. It’'s very well done.

Steve

Steve_Reichert · March 31, 2005, 12:44pm

I see that Smack 1.5.0 has been released, but does not include SMACK-27, which would have allowed for pluggable certification validation. It appears that this will be included in 1.5.1. Is this the case?

Thanks,

Steve

Gaston_Dombiak · March 31, 2005, 6:01pm

Hey Steve,

Yep. If you follow the link to SMACK-27 you will see that this feature will be implemented for Smack 1.5.1.

Regards,

– Gato

matt · March 31, 2005, 6:46pm

Yeah, unfortunately there wasn’‘t time to get everything into the 1.5.0 release that we wanted to. However, we thought it was better to get the existing fixes out rather than delay longer. We’'ll try to follow-up with 1.5.1 fairly soon.

-Matt

John_Noftle · September 6, 2005, 4:55pm

I am using the 2.0.0 libray but can’'t seem to see in the API how to use this enhancement (Assuming it has been done)

Basically I am looking for a simple way to not require any certicate for an SSL connection, instead of altering the isServerTrusted method to always return true.

Thanks