5 Replies Latest reply: Nov 13, 2012 5:56 AM by 973216 RSS

    POP3Store and custom truststore

    973216
      Hi,
      I'm connecting to a pop3 server via SSL and the server does not necessarily have a trusted certificate. I want to give the user the possibility to supply a custom trustore to my app that contains the certificates to trust. How can I make the POP3Store to use this truststore ?

      I do not want to affect other processes running the in the JVM so only this one connection should use the truststore.

      cheers,
      Tex
        • 1. Re: POP3Store and custom truststore
          EJP
          I'm connecting to a pop3 server via SSL and the server does not necessarily have a trusted certificate.
          Then using SSL to it is pointless.
          I want to give the user the possibility to supply a custom trustore to my app that contains the certificates to trust.
          Easy enough, just set javax.net.ssl.trustStore before connecting.
          How can I make the POP3Store to use this truststore ?
          What's a POP3Store, and what does it have to do with SSL truststores?
          I do not want to affect other processes running the in the JVM so only this one connection should use the truststore.
          So you would have to set JavaMail socket factory instead of the system property. But if the server doesn't have a trusted certificate it is all pointless. You have no way of knowing whether you are connected to the correct peer. It isn't secure, and using SSL with such a peer doesn't make it one whit more secure than plaintext.
          • 2. Re: POP3Store and custom truststore
            973216
            EJP wrote:
            What's a POP3Store, and what does it have to do with SSL truststores?
            http://javamail.kenai.com/nonav/javadocs/com/sun/mail/pop3/POP3Store.html

            I do not want to affect other processes running the in the JVM so only this one connection should use the truststore.
            So you would have to set JavaMail socket factory instead of the system property. But if the server doesn't have a trusted certificate it is all pointless. You have no way of knowing whether you are connected to the correct peer. It isn't secure, and using SSL with such a peer doesn't make it one whit more secure than plaintext.
            No it is not pointless. It is a corporate server that has its own PKI. The admin can rollout a trustore containing the root ca of the server's certificate.
            • 3. Re: POP3Store and custom truststore
              EJP
              So do that. What's the question?
              • 4. Re: POP3Store and custom truststore
                973216
                EJP wrote:
                So do that. What's the question?
                How I am supposed to supply the truststore to the client's SSL connection.
                • 5. Re: POP3Store and custom truststore
                  973216
                  Hi,
                  so I'm now providing a SSLSocketFactory to the connection but it still doesn't work:

                   private SSLSocketFactory createSSLTestConfig()  {
                  
                          SSLSocketFactory sf = null;
                          try {
                  
                              KeyStore trustStore = KeyStore.getInstance("JKS");
                  
                              trustStore.load(new FileInputStream("truststore.jks"), "password".toCharArray());
                  
                              // Set up key manager factory to use our key store
                              KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                              kmf.init(trustStore, "password".toCharArray());
                  
                              TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
                              trustManagerFactory.init(trustStore);
                  
                              TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                  
                              SSLContext sslContext = SSLContext.getInstance("TLS");
                              sslContext.init(null, trustManagers, null);
                  
                              sf = sslContext.getSocketFactory();
                  
                          } catch (Exception e) {
                              POP3Client.log.error("Could not initial SSL:" + e.getMessage());
                          }
                          return sf;
                      }
                  Then I set the SSLSocketFactory as explained here: http://javamail.kenai.com/nonav/javadocs/com/sun/mail/pop3/package-summary.html
                  Properties properties = new Properties();
                  properties.put("mail.pop3s.host", host);
                  properties.put("mail.pop3s.port", port);
                  properties.put("mail.pop3.ssl.socketFactory", createSSLTestConfig());
                  
                  Session    emailSession = Session.getDefaultInstance(properties);
                  
                  pop3Store = (POP3Store) emailSession.getStore("pop3s");
                  pop3Store.connect(...);
                  but I get the ssl exception
                  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
                  My truststore.jks contains the self signed certificate of the server.

                  what am I doing wrong?