StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
9217941
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
5
CommunityOwnedDate
CreationDate
2012-02-09T20:07:10.267
FavoriteCount
0
LastActivityDate
2012-02-13T19:52:17.467
LastEditDate
2017-05-23T11:52:59.673
LastEditorUserId
-1
OwnerUserId
372643
ParentId
9215667
PostTypeId
2
Score
5
ViewCount
0
LastEditorDisplayName
text
Body
The "obvious" problem is that you're not actually making any use of the <code>SSLContext</code>s you create: <pre><code>SSLServerSocketFactory sslSrvSockFact = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); </code></pre> This should at least be: <pre><code>SSLServerSocketFactory sslSrvSockFact = (SSLServerSocketFactory) ctx.getServerSocketFactory(); </code></pre> The problem is that you would have to choose between one context or the other... The solution to your problem is in <a href="https://stackoverflow.com/a/9182713/372643">the answer I gave to your other similar question a couple of days ago</a>: you need to implement your own <a href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/X509KeyManager.html" rel="nofollow noreferrer"><code>X509KeyManager</code></a> to be able to choose which key you're going to use. Whether you want to use a single keystore or load your key/cert from two keystores doesn't matter that much: if you really want to, you can certainly implement <code>getPrivateKey</code> and <code>getCertificateChain</code> so that they load the keys/certs from two distinct keystores depending in the alias. It would be unnecessarily complicated, though. You will still have to do something based on the alias selection anyway, so you might as well load both keys/certificates from a single key store, using different aliases. From the server point of view, the only way to choose one alias (and therefore key/cert pair) is to use what's available in the socket (or engine if you're using an <a href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/X509ExtendedKeyManager.html" rel="nofollow noreferrer"><code>X509ExtendedKeyManager</code></a>). Since Java 7 doesn't support Server Name Indication (which would let the client tell which host name it's requesting ahead of this selection process), you may have to do this based on the client IP address, or on which of your server IP addresses is being used (if you have more than one). <blockquote> Using two private keys (keystore) and two public keys (truststore) </blockquote> You seem to be confused about what the keystore and the truststore are. Unless you're planning to use client-certificate authentication, you can ignore the trust store settings on the server. You can used the default (<code>null</code>) as the second parameter of your <code>SSLContext.init(...)</code>. Your "keystore (keystore)" is the information used by the local party (your server in this case), the "truststore (keystore)" is used to determine which remote party to trust. The public key (or, to be precised, the certificate) you're going to present to the client is also in your keystore, associated with your private key, not in the truststore. EDIT: <blockquote> Exception in thread "main" java.lang.NoSuchMethodError: javax.net.ssl.SSLContext.setDefault(Ljavax/net/ssl/SSLContext;) at ...initialiseManager(499) </blockquote> <a href="http://docs.oracle.com/javase/6/docs/api/java/lang/NoSuchMethodError.html" rel="nofollow noreferrer">NoSuchMethodError</a>: <blockquote> Thrown if an application tries to call a specified method of a class (either static or instance), and that class no longer has a definition of that method. Normally, this error is caught by the compiler; this error can only occur at run time if the definition of a class has incompatibly changed. </blockquote> This has nothing to do with your SSL settings. Not sure what you've done here, but it looks like you may be using code for Java 6 on a Java 5 JRE (Java 6 did not have a <code>setDefault</code> on <code>SSLContext</code>). More importantly, there's something wrong about the general way you seem to be using Java here. <blockquote> javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. </blockquote> That could very well be explained by the fact you didn't seem to be using the <code>SSLContext</code>s you had initialised at all... <ul> <li>If you have two pairs of private keys/certificates in your keystore.</li> </ul> My answer <a href="https://stackoverflow.com/a/9217941/372643">here</a> still stands. I'll try to make it a bit more explicit. I'm assuming here that one of your cert/private key is using <code>alias1</code> and the other <code>alias2</code>. Find out using <code>keyool -list</code> if you're not sure. It's up to you to choose and set them up. <pre><code>// Load the key store: change store type if needed KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); FileInputStream fis = new FileInputStream("/path/to/keystore"); try { ks.load(fis, keystorePassword); } finally { if (fis != null) { fis.close(); } } // Get the default Key Manager KeyManagerFactory kmf = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, keyPassword); final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0]; X509KeyManager km = new X509KeyManager() { public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { InetAddress remoteAddress = socket.getInetAddress(); if (/* remoteAddress has some conditions you need to define yourself */ { return "alias1"; } else { return "alias2"; } } public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) { // Delegate this other methods to origKm. origKm.chooseClientAlias(keyType, issuers, socket); } // Delegate this other methods to origKm, in the same way as // it was done for chooseClientAlias. } SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(new KeyManager[] { km }, null, null); SSLSocketFactory sslSocketFactory = sslContext.getSSLSocketFactory(); </code></pre> <ul> <li>If you really want two distinct keystores.</li> </ul> Do the same and, on top of this, in <code>getCertificateChain(String alias)</code>, choose which of the two keystores to use depending on the alias, and use it to get the certificate chain. Same thing for <code>getPrivateKey(...)</code>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POUsing two private keys (keystore) and two public keys (truststore) in one SSL Socket Connection
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USBruno
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.