Another new keytool enhancement: -printcert -sslserver

Andreas has written a blog entry on retrieving certificates from an SSL server. Whenever I see someone asking this question on the Java forum I point the user to this entry. Now it's time for this function to be included in keytool.

Call keytool -printcert -sslserver sun.com to see what's shown.

During the implementation of this feature, there are some discussions on how the function should be called. Two topics are most interesting:

What's the function name? At first, the plan is to add a new function to import the certificate into a keystore. The command will look like "-importcert -sslserver". However, there came several problems:
  1. For a normal certificate file, you can first call -printcert on it, read carefully, and then decide if it can be imported. For a certificate from an SSL server, you can still call something like "-printcert -sslserver" on it, but do you dare call "-importcert -sslserver" after examining it carefully? No, because the SSL server is not controlled by you, and it might send out a different certificate in the second call. That's scary, isn't it?
  2. An SSL server sends you a certificate chain. If you want to import one that's not always the end-entity cert, you need to specify a position number. This means another option, more interactions, and, more error messages or IndexOutOfBoundException. That's not good.
So the command ends up with a simple "-printcert -sslserver". It's left to the user to read/check/cut/paste the info wanted.

What protocols to support? This is a simple question, and the answer is ALL. Every application protocol that's based on SSL is included. However, the implementation chooses only HTTPS, for several reasons:
  1. HTTPS is the most popular SSL-based protocol out there, and programming it is the easiest, I simply call
    new URL("https://" + sslserver).openConnection().connect();
    
  2. HTTPS supports proxy, so you can add -Dhttps.proxyHost and -Dhttps.proxyPort if the SSL server is behind a proxy.
  3. Last and the best. It also works for any SSL-based application protocol, because the handshake part of any such protocol is identical. Please notice that I only call the connect() method, where handshake is done but no application specific data communication is performed yet.

BTW, the feature was added into keytool long time ago.
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today