I have built an Acceptor using QFJ, and wanted to add another layer of protection when a client connects to my engine, so I added:
SocketUseSSL=Y
NeedClientAuth=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=****
to create this jks file I used:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks -validity 3650
and also I created a server.cer file using command:
keytool -export -alias server -file server.cer -keystore server.jks -validity 3650
to test that it is working I built a small Initiator engine and used configuration:
SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=****
and to create the client.jks I used:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks -validity 3650
keytool -export -alias client -file client.cer -keystore client.jks -validity 3650
I then imported the client client.cer file into my server.jks using:
keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks
I tested it and all worked perfectly, client was able to connect to the server and also I tested that when client does not send cert (SocketUseSSL=N) client is unable to connect.
The problem is that when I change the client jks file to another cert (client2.jks), the client is still able to connect to the server even though I did not import the new cert .cer (client2.cer) file into server .jks file.
Can someone please shed some light on how the SSL logic and handshake work? Is the logic of my SSL step correct?
thanks