- 196.9K All Categories
- 2.2K Data
- 239 Big Data Appliance
- 1.9K Data Science
- 450.3K Databases
- 221.7K General Database Discussions
- 31 Multilingual Engine
- 550 MySQL Community Space
- 478 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3K ORDS, SODA & JSON in the Database
- 545 SQLcl
- 4K SQL Developer Data Modeler
- 187K SQL & PL/SQL
- 21.3K SQL Developer
- 295.9K Development
- 17 Developer Projects
- 138 Programming Languages
- 292.6K Development Tools
- 107 DevOps
- 3.1K QA/Testing
- 646K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 155 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.1K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 18 Java Essentials
- 160 Java 8 Questions
- 86K Java Programming
- 80 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 204 Java User Groups
- 440 LiveLabs
- 38 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 171 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 232 Portuguese
Java v/s Browser certificate trust behavior
We have a Java based application which connects to few servers over https.
The self signed certificates of these servers are added to client trust store to ensure https connections work.
Here is the scenario in question :
1. Server has a self signed certificate C1 with Public Key Pub1. This certificate is added to client trust store and connection works fine.
2. A new self signed certificate is generated on Server say C2 which has same public key as C1. i.e C2 has a different Serial Number, thumbprint, validaty dates but has the same public key as certificate C1.
3. Though C2 is NOT added to client trust store, the connection between client and server is working.
So it appears that X509TrustManager/X509ExtendedTrustManager checkServerTrusted implementation is only doing a public key match.
Same scenario tested with browser :
1. When server's self signed certificate C1 is NOT added to browser certificate store, Security exception is raised by browser. In case of Firefox(add server exception) and for Chrome(add the self signed server cert to trust store).
2. Browser does not throw any security exception now.
3. As explained before, when server changes to certificate C2 which has same public key as C1 (which is added to browser), browser still raises security exception.
So effectively there is a difference in Java v/s Browser trust behavior.