This discussion is archived
5 Replies Latest reply: Nov 13, 2012 3:56 AM by 973216 RSS

POP3Store and custom truststore

973216 Newbie
Currently Being Moderated
Hi,
I'm connecting to a pop3 server via SSL and the server does not necessarily have a trusted certificate. I want to give the user the possibility to supply a custom trustore to my app that contains the certificates to trust. How can I make the POP3Store to use this truststore ?

I do not want to affect other processes running the in the JVM so only this one connection should use the truststore.

cheers,
Tex
  • 1. Re: POP3Store and custom truststore
    EJP Guru
    Currently Being Moderated
    I'm connecting to a pop3 server via SSL and the server does not necessarily have a trusted certificate.
    Then using SSL to it is pointless.
    I want to give the user the possibility to supply a custom trustore to my app that contains the certificates to trust.
    Easy enough, just set javax.net.ssl.trustStore before connecting.
    How can I make the POP3Store to use this truststore ?
    What's a POP3Store, and what does it have to do with SSL truststores?
    I do not want to affect other processes running the in the JVM so only this one connection should use the truststore.
    So you would have to set JavaMail socket factory instead of the system property. But if the server doesn't have a trusted certificate it is all pointless. You have no way of knowing whether you are connected to the correct peer. It isn't secure, and using SSL with such a peer doesn't make it one whit more secure than plaintext.
  • 2. Re: POP3Store and custom truststore
    973216 Newbie
    Currently Being Moderated
    EJP wrote:
    What's a POP3Store, and what does it have to do with SSL truststores?
    http://javamail.kenai.com/nonav/javadocs/com/sun/mail/pop3/POP3Store.html

    I do not want to affect other processes running the in the JVM so only this one connection should use the truststore.
    So you would have to set JavaMail socket factory instead of the system property. But if the server doesn't have a trusted certificate it is all pointless. You have no way of knowing whether you are connected to the correct peer. It isn't secure, and using SSL with such a peer doesn't make it one whit more secure than plaintext.
    No it is not pointless. It is a corporate server that has its own PKI. The admin can rollout a trustore containing the root ca of the server's certificate.
  • 3. Re: POP3Store and custom truststore
    EJP Guru
    Currently Being Moderated
    So do that. What's the question?
  • 4. Re: POP3Store and custom truststore
    973216 Newbie
    Currently Being Moderated
    EJP wrote:
    So do that. What's the question?
    How I am supposed to supply the truststore to the client's SSL connection.
  • 5. Re: POP3Store and custom truststore
    973216 Newbie
    Currently Being Moderated
    Hi,
    so I'm now providing a SSLSocketFactory to the connection but it still doesn't work:

     private SSLSocketFactory createSSLTestConfig()  {
    
            SSLSocketFactory sf = null;
            try {
    
                KeyStore trustStore = KeyStore.getInstance("JKS");
    
                trustStore.load(new FileInputStream("truststore.jks"), "password".toCharArray());
    
                // Set up key manager factory to use our key store
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(trustStore, "password".toCharArray());
    
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
                trustManagerFactory.init(trustStore);
    
                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
    
                SSLContext sslContext = SSLContext.getInstance("TLS");
                sslContext.init(null, trustManagers, null);
    
                sf = sslContext.getSocketFactory();
    
            } catch (Exception e) {
                POP3Client.log.error("Could not initial SSL:" + e.getMessage());
            }
            return sf;
        }
    Then I set the SSLSocketFactory as explained here: http://javamail.kenai.com/nonav/javadocs/com/sun/mail/pop3/package-summary.html
    Properties properties = new Properties();
    properties.put("mail.pop3s.host", host);
    properties.put("mail.pop3s.port", port);
    properties.put("mail.pop3.ssl.socketFactory", createSSLTestConfig());
    
    Session    emailSession = Session.getDefaultInstance(properties);
    
    pop3Store = (POP3Store) emailSession.getStore("pop3s");
    pop3Store.connect(...);
    but I get the ssl exception
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
    My truststore.jks contains the self signed certificate of the server.

    what am I doing wrong?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points