[jspaur]

i know in the the world of .NET (atleast on Windows) it'll automatically check using the cert manager. Anyone know how this might work on platforms such as Java? I'd assume the local VM would need to have some OS specific plumbing in place.

[toyg]

The official Oracle/Sun JVM ships its own file-based certificate store containing the root certificates of authorities it trusts. It does not, at any time, interoperate with OS-wide stores, nor does it assume they might exist. This makes it fully portable, but of course adds a further burden in terms of maintenance.

Same for the JRockit JVM.

[technomancy]

True, but if you're installing OpenJDK from Debian they have gone to the trouble of integrating it with the system-level certificate store, so it's much easier to manage.

[stonemetal]

The JDK comes with a program called key tool. You use key tool to build a "trust store". This is basically a collection of certs you trust. There is also a "key store" which contains your cert and its private key. Then when you run your app you must specify what key store and trust store to use.

[flogic]

I've seen Java .Net and Perl code fail with self signed or expired certificates, so I'm pretty certain they check.

[va1en0k]

many servers are deployed using Linux which doesn't have any cert manager (see citation in the blog)

[byroot]

But most distribution provide a list of trusted root CA. For exemple on Debian: /etc/ssl/certs/

[jspaur]

what about with platforms such as Android? iOS? etc.

[salgernon]

iOS and OSX both use the system store represented by the "system" keychain. (On the desktop, individual users can also have keychain a with trusted roots.). Apple keeps their root store up to date via software updates and automatic OCSP checks.

NSURLConnection, the higher level resource API, will by default require a valid certificate chain, but provides for explicitly allowing an insecure connection as part of its authentication callbacks. (This is an improvement over previous versions (leopard and before) where you had to explicitly specify hostnames that should be considered safe.)

So, certificate validation is treated, at the API level, like any other sort of authentication challenge.

You can also provide a client certificate using the same mechanism, if requested by the server.

Using the lower level CFHTTP stream API, you can only fail the connection and re attempt it after disabling cert checking.