2 way ssl: self signed certificate in truststore #12148
Comments
|
Jetty 11 is now at EOSL (End of Service/Support Life), you should be using a supported version of Jetty now, which is Jetty 12 as of today. |
This is what Why did you set it to true? |
|
At first we have a connection object and the same connection is used to get the SSL configuration for Jetty. If the hostname verifier in the connection object is set to DefaultHostnameVerifier, only then we set the validateCerts=true in Jetty's SSL configuration. So, the validateCerts=true is used to validate the client certificate only? What is the effect if we set it to false? |
|
Validation of the peer certificates is performed elsewhere, and at a different time than startup. |
|
Thanks @sbordet for the clarification. |
Jetty Version: 11.0.17
Java 11
We were trying to achive 2 way SSL and configured the keystore, truststore and the certificate alias in SslContextFactory.Client. We also set ValidateCerts to true.
What we observe is if the self signed client certificate is not present in the truststore, Jetty is throwing error "unable to find valid certification path to requested target". And this is happening even before any commnucation is started with the backend.
It is unconventional to require a client to import its own certificate into its truststore. The trsutstore should have server's certificates from the backends.
If we set ValidateCerts to false then this issue goes away. So I just wanted to confirm this Jetty behavior that why it expects client to have its own certificate in the truststore.
The text was updated successfully, but these errors were encountered: