Introduction

As of censhare Client 5.4.2, the default trust manager accepts only valid certificates. The Trust Manager comes with the JVM SSL implementation. The connection to the server fails if the certificate is either not valid or if it cannot be trusted. The client never shows a warning dialog (as some browsers do) in case it cannot verify a certificate's authenticity. In that case, the connection is just not established and an error dialog is shown.

To connect to a censhare Client as of 5.4.2 you need to deploy a certificate to the censhare Server.

Chain certificates

cat mydomain.com.cert.pem intermediate.cert.pem root.cert.pem > mydomain.com.chain.pem

mydomain.com.chain.pem look as follows:

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: mydomain.com.cert.pem) 
-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: intermediate.cert.pem) 
-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 
(Your Root certificate: root.cert.pem) 
-----END CERTIFICATE-----

Create PKCS12 Keystore and Convert into a Java Keystore

openssl pkcs12 -export -name mydomain.com -in mydomain.com.chain.pem -inkey mydomain.com.privatekey.pem -out keystore.p12 
keytool -importkeystore -destkeystore mydomain.com.keystore -srckeystore keystore.p12 -srcstoretype pkcs12

Deploy Java keystore

Copy mydomain.com.keystore to ~/cscs/app/config/keystore or import it into an existing keystore. Note that changes to the keystore always require a censhare-Server restart.

keytool -importkeystore -srckeystore mydomain.com.keystore -destkeystore ~/cscs/app/config/keystore

Verify certificates

Once you have deployed the certificate and restarted censhare you can verify the offered certificate:

echo "" | openssl s_client -connect censhare.mydomain.com:30546

Workaround

You can disable the default Trust Manager and activate the previous dummy trust manager by a new (optional) property in the hosts.xml: disable-trust-manager="true". By disabling the trust manager the censhareClient accepts any certificate which makes the connection vulnerable for a MITM attack.

<host compressionlevel="3" url="frmis://censhare.mydomain.com/corpus.RMIServerSSL" name="censhare" disable-trust-manager="true" databasename="censhare" authentication-method="" > 
	<proxy use="0"/> 
	<censhare-vfs use="1"/> 
</host>
  • No labels