Certificate expired but the connection is still established

157 views
Skip to first unread message

shell...@gmail.com

unread,
Dec 15, 2016, 9:16:49 AM12/15/16
to vert.x
Hi,
I have two applications, application A is the client of application B and connecting is using io.vertx.core.http.HttpClient with the following options:
HttpClientOptions options = new HttpClientOptions()
            .setSsl(true)
            .setPemTrustOptions(new PemTrustOptions().addCertPath("ssl/cert.pem"))
            .setDefaultHost(SERVER_HOST)
            .setDefaultPort(SERVER_PORT)
            .setKeepAlive(true)
            .setReuseAddress(true)
            .setTcpKeepAlive(true)
            .setConnectTimeout(10000)
            .setIdleTimeout(0)
            .setReceiveBufferSize(212992)
            .setSendBufferSize(212992)
            .setMaxPoolSize(100);


Application B, which is the server, uses the following options:
HttpServerOptions options = new HttpServerOptions()
              .setSsl(true)
              .setPfxKeyCertOptions( new PfxOptions().setPath("ssl/server.pfx")
                                        .setPassword(SSL_PASS));

The server certificate is a real certificate signed by a known CA.

The problem:
The certificate expired two weeks ago and the client still able to establish connection to the server.

Is there something missing in the client's configuration?
I'm not sure what happanning behind the scenes, can you point me to the code that checks the expiration date?


Thanks,
Shelly

Julien Viet

unread,
Dec 15, 2016, 3:10:46 PM12/15/16
to ve...@googlegroups.com
Hi,

this is done by Java SSL, you should enable SSL debugging as explained here : http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

Julien


--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/45f70041-62ca-4704-8360-a2d8b42acd79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

shell...@gmail.com

unread,
Dec 18, 2016, 7:30:10 AM12/18/16
to vert.x
Hi Julien, thanks for the quick response!
I've enabled the debugging and it helped me to understand what's going on.
For some reason, we've assumed that if we're uploading the certificate to the client like the above, we'll get a certificate pinning for free.
After some digging into the JSEE documentation, I realized that the assumption was probably wrong. 
So my next question is - does vertx support certificate pinning? if so, can you point me to a source example? 

Shelly

Julien Viet

unread,
Dec 18, 2016, 6:55:33 PM12/18/16
to ve...@googlegroups.com
no it does not support it (so far).

Reply all
Reply to author
Forward
0 new messages