tuweni / org.apache.tuweni.net.tls / TrustManagerFactories / trustClientOnFirstAccess

trustClientOnFirstAccess

static fun trustClientOnFirstAccess(knownClientsFile: Path!): TrustManagerFactory! (source)

Accept CA-signed client certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

Parameters

knownClientsFile - Path!: The path to the file containing fingerprints.

Return
TrustManagerFactory!: A trust manager factory.

static fun trustClientOnFirstAccess(repository: FingerprintRepository!): TrustManagerFactory! (source)

Accept CA-signed client certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

Parameters

repository - FingerprintRepository!: The repository containing fingerprints.

Return
TrustManagerFactory!: A trust manager factory.

static fun trustClientOnFirstAccess(knownClientsFile: Path!, acceptCASigned: Boolean): TrustManagerFactory! (source)

Trust client certificates on first access.

on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

Parameters

knownClientsFile - Path!: The path to the file containing fingerprints.

acceptCASigned - Boolean: If true, CA-signed certificates will always be accepted.

Return
TrustManagerFactory!: A trust manager factory.

static fun trustClientOnFirstAccess(repository: FingerprintRepository!, acceptCASigned: Boolean): TrustManagerFactory! (source)

Trust client certificates on first access.

on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

Parameters

repository - FingerprintRepository!: The repository containing fingerprints.

acceptCASigned - Boolean: If true, CA-signed certificates will always be accepted.

Return
TrustManagerFactory!: A trust manager factory.

static fun trustClientOnFirstAccess(knownClientsFile: Path!, tmf: TrustManagerFactory!): TrustManagerFactory! (source)

Accept CA-signed certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

Parameters

knownClientsFile - Path!: The path to the file containing fingerprints.

tmf - TrustManagerFactory!: A TrustManagerFactory for checking server certificates against a CA.

Return
TrustManagerFactory!: A trust manager factory.

static fun trustClientOnFirstAccess(repository: FingerprintRepository!, tmf: TrustManagerFactory!): TrustManagerFactory! (source)

Accept CA-signed certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

Parameters

repository - FingerprintRepository!: The repository containing fingerprints.

tmf - TrustManagerFactory!: A TrustManagerFactory for checking server certificates against a CA.

Return
TrustManagerFactory!: A trust manager factory.