This discussion is archived
1 Reply Latest reply: Sep 5, 2012 6:49 PM by EJP RSS

How does TLS choose an entry from the keystore?

960127 Newbie
Currently Being Moderated
I am using the example code from section 11.4.3 TLS Socket Factory in the document: [Java Dynamic Management Kit 5.1 Tutorial|http://docs.oracle.com/cd/E19698-01/816-7609/6mdjrf873/index.html] . I can get it working fine, but only if the first private key entry in the server side's keystore is the one that matches a certificate in the client's truststore. This leads me to believe that there is no way to select a particular private key for use with a JMXMP connection across TLS, i.e. TLS always chooses the first key entry it encounters in the keystore. Is this true?
  • 1. Re: How does TLS choose an entry from the keystore?
    EJP Guru
    Currently Being Moderated
    No. The client sends the server a list of cipher suites and the server selects a certificate from its keystore accordingly. RFC 2246: "The certificate type must be appropriate for the selected cipher suite's key exchange algorithm."

    I would remove the line in the sample that sets the cipher suite. I can't see the point of crippling SSL by only allowing one cipher suite.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points