signed certificate verification procedure with SSL?

I have a client/server SSL socket implementation in Java, where a self-signed certificate has been generated and imported into the client truststore. The server has a copy of the self-signed certificate in its keystore.

The cipher suite agreed is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA , which is an epileptic Diffie- Hellman Variant. The self-signed certificate uses an RSA keypair, and the public key is listed on the certificate for encryption.

What I'm not completely sure about is how the client validation process with self-signed certificates works in Java. I understand how TLS typically verifies a certificate; using the CA's public key on its signature, then comparing the decrypted hash against a generated thumbprint.

How is the signature verified using self-signed certificates? I'm debugging on the client side in Java (using parameters -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl ) and I see no mention of a self-signed public key for decrypting the signature, or a thumbprint hash. The certificate signatures and public RSA key are certainly mentioned though.

Many thanks.


The client verifies the signature using the public key of the server as supplied in the server certificate. Only the owner of that certificate has the corresponding private key, so only the certificate owner can produce a valid signature that can be verified via the public key in the certificate. So this proves ownership of the certificate. The fact that the certificate is self-signed has nothing to do with it at this stage.

链接地址: http://www.djcxy.com/p/21764.html

上一篇: OpenSSL客户端证书与服务器证书

下一篇: 使用SSL签署证书验证程序?