-
Notifications
You must be signed in to change notification settings - Fork 40.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting up a truststore without a keystore #6493
Comments
The How are you making these connections? Do you use |
Yes, indeed. I want something similar for client connections. I'm not making the client connections directly. In this case they are created by a keycloak adapter. I see references to RestTemplate in this library. |
@robert-gv Do you have any sample code that shows what you're currently doing? That might be a good start in us creating auto-configuration. |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
I don't think the sample code will add much to the information already provided, but here you go. |
For what it's worth, this is how we do it. We put the self-signed server certificate in In the code, we parse the certificate and add it to a custom X509TrustManager that trusts both the default truststore and the included certificate (because we use valid certificates for production, and self-signed for staging). Then we call SslConfig.java
SslProperties.java
ExtraCertsTrustManager.java
|
IMO, setting the default A quick search in Eclipse shows me that the default context is used by Cassandra's driver, RabbitMQ's client, Tomcat, Jetty, etc. While I'm sure it works very nicely in the context of a specific application, I think we might break things in ways that are difficult to debug if we applied this approach more generally. Furthermore, you may want each different sort of client that's using SSL to have different certificates that it trusts. The concerns described above also largely apply to configuring the I think we're left with making sure it's easy to configure a truststore on clients that may be using SSL. Rather than trying to tackle all of them on a case-by-case basic, I'd prefer to consider each type of client individually and see what requirements people have so I'm going to close this issue. Anyone looking for easy truststore configuration for a particular type of client, please open a new issue stating the client that you're using and providing as much detail as possible about what you'd like to configure. |
I would like to be able to run a spring boot webserver that connects to other servers using the SSL protocol that uses self-signed certificates.
To do this I now have to specify the
javax.net.ssl.trustStore
andjavax.net.ssl.trustStorePassword
system properties when starting the application.I would like to be able to set this up using my
application.properties
, so that all configuration is in one place, and I can use classpath to locate the trust store.I can specify the
server.ssl.trust-store
andserver.ssl.trust-store-password
but this is not picked up without also specifying
server.ssl.key-store
and related properties.The main problem then becomes that the spring boot application will start with a https connector (and no http connector), while actually I have no interest to run in https mode.
The spring boot server just needs to connect to other servers with https.
My feature request is that you are able to set up a trust store without having to specify properties related to running the server in https mode.
The text was updated successfully, but these errors were encountered: