Added capability to conceal trusted certificates

[Hakky54]

No description provided.

[Hakky54]

@gerardnorton I have made a WIP initial implementation. Can you maybe have a look at it?
What do you think, would this work for your situation? If you want to give it a try locally with your own application you can checkout this branch and build the snapshot locally to try it out. If something is missing we can still add it.

The usage in your situation will be:

@Bean
public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
                        @Value("${ssl.keystore-password}") String keyStorePassword,
                        @Value("${ssl.truststore-path}") String trustStorePath,
                        @Value("${ssl.truststore-password}") String trustStorePassword)
                        throws Exception {
    ...
    return SSLFactory.builder()
         .withIdentityMaterial(identityKeystore.toPath(), keyStorePassword.toCharArray())
         .withTrustMaterial(identityTruststore.toPath(),   trustStorePassword.toCharArray())
         .withSwappableIdentityMaterial().withSwappableTrustMaterial()
         .withNeedClientAuthentication(Boolean.TRUE)
         .withConcealedTrustedCertificates() //  <--- this option hides your trusted certificates ca names
         .withProtocols("TLSv1.3", "TLSv1.2")
         .withCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
         .withSessionTimeout(3600).withSessionCacheSize(1024).build();
}

This option is compatible even when using the swappable option.

[gerardnorton]

Hi.
I have tested version 8.1.8-SNAPSHOT locally and it works perfectly.
I have tried this with java-17-openjdk-amd64 and spring-boot-starter-parent 3.0.4.

:-)

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

100.0% Coverage
0.0% Duplication

[Hakky54]

Awesome, great to hear @gerardnorton I added it also to the documentation, see here: https://github.com/Hakky54/sslcontext-kickstart#hide-trusted-certificate-names-of-a-server

I will release a new version coming week, I will keep you up-to-date.

By the way, I did some testing with a huge collection of trusted certficates within a server and this is the results when the I don't configure the server with the new option:

Amazing to see so much information is presented by the server itself.

[gerardnorton]

Yes.
But keep in mind that when you disable this, you are also disabling OCSP. This functionality is designed to prevent MITM attacks at the certificate level or for the validation of certificates on the client browser side.
It is only advisable to disable this in some cases, such as when you want to protect the identity of users accessing the APP with MTLS and their DN contains sensitive information.

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

:-)

[Hakky54]

Awesome, thank you for this additional context. By the way if you think the overal documentation can be improved, feel free to submit a PR. It seems like you have in-depth knowledge for these kind of topics.

[Hakky54]

@gerardnorton This option is now available in version 8.2.0