Join Log in
Score:1
em_bo avatar Server

Why do (non-browser) clients sometimes not trust valid, signed certs?

us flag
em_bo

This is a somewhat canonical question ... I hope that's okay.

In my employ I often troubleshoot situations where a client running on a Linux server (usually a java application) doesn't trust a valid, signed certificate - a cert which is trusted by browsers. Our usual quick fix is to add the cert to the java cacerts trust store, but it nags me why this is needed.

In my understanding there are two possibilities:

  1. The server side is not sending the full chain (end-entity cert + intermediate certs), in the right order, AND the client does not trust the intermediate certs (perhaps because it's too old.)
  2. The client trust store does not contain the root cert to use as a trust anchor (perhaps because it's too old.)

Is that accurate? If so, it seems like alternate possibilities to forcing trust of the end-entity cert are:

  • Configure the server application to send the full chain.
  • Upgrade the client (e.g., java) to a newer version. In my case, usually the major release of java which can be used is limited by software prerequisites, but perhaps each minor release contains an updated trust store?

Any thoughts of clarifications are appreciated.

48
0 + 6
ssl
Steffen Ullrich avatar
se flag
Steffen Ullrich
*"AND the client does not trust the intermediate certs (perhaps because it's too old.)"* - this is unrelated to old. The trust store simply only contains the root CA and the server is expected to send the intermediate certificates. The intermediate is trusted if it was issued by a locally trusted root CA or by another trusted intermediate - no matter how old the client is.
2
Reply
Steffen Ullrich avatar
se flag
Steffen Ullrich
Apart from that you address the main points. Other possible reasons: client fails to send SNI (most modern clients do it though), server is properly configured for IPv4 but not IPv6 and client tries to connect to IPv6 while browser might use IPv4.
1
Reply
DarkMoon avatar
in flag
DarkMoon
You've not mentioned the O/S, but I believe on Windows, browsers use the Windows certifcate store but Java uses it's own one by default. So just because a browser trustst he cert doesn't mean Java will. javax.net.ssl.trustStoreType can be used to tell it to get the trusted root cert list from Windows internal one.
3
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
@DarkMoon: IE Edge and Chrome/Windows use the Windows cert store, but Firefox uses its own. On all OS, Java builds from Oracle (and formerly Sun) default to their own cacerts file, but OpenJDK depends on the builder; OpenJDK built for Linux distros (always? almost always?) uses the system store.
0
Reply
em_bo avatar
us flag
em_bo
@SteffenUllrich From what I can tell, Java often ships with intermediate certs for major CAs. I've seen the age of the client come into play when the CA has switched to a newer intermediate cert than what is delivered.
0
Reply
em_bo avatar
us flag
em_bo
@DarkMoon I wasn't explicit, but the context of my question is primarily Linux servers, so the browser in question and the client in question aren't running on the same system.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.