Dear All,
I use JSSE to implement a proxy server which support http/https.
However, I find my code can't support some secure site which provide a
certificate which doesn't signed by CA.
and here is the error message:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
at Proxy.SSLNegotiation.startNegotiation(SSLNegotiation.java:101)
at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:383)
at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
at Proxy.ProxyProcess.run(ProxyProcess.java:107)
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
... 10 more
java.net.SocketException: Socket is closed
at java.net.Socket.setSoTimeout(Socket.java:920)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA12275)
at Proxy.HttpResp.<init>(HttpResp.java:53)
at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:385)
at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
at Proxy.ProxyProcess.run(ProxyProcess.java:107)
what should i do to accept the self-sign certificate?
Thank,
Jake
Here is my code.
package Proxy;
import java.io.IOException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
public class SSLNegotiation {
private Socket socket = null;
private String host = null;
private int port;
private String keyStore = null;
private char keyStorePass[] = null;
private char keyPassword[] = null;
private String sslContextInst = null;
private String keyStoreInst = null;
private String keyManagerFactoryInst = null;
private String trustManagerFactoryInst = null;
public SSLNegotiation(Socket socket) {
this.socket = socket;
host = socket.getInetAddress().getHostName();
port = socket.getPort();
}
public SSLNegotiation(String host, int port) {
this.host = host;
this.port = port;
}
public SSLNegotiation(Socket socket, String host, int port) {
this.socket = socket;
this.host = host;
this.port = port;
}
public void importKeyStore(String ks, String ksp) {
importKeyStore(ks, ksp, ksp);
}
public void importKeyStore(String ks, String ksp, String kp) {
keyStore = ks;
keyStorePass = ksp.toCharArray();
keyPassword = kp.toCharArray();
}
public void setInstance(String content, String ks, String kmf, String
tmf) {
sslContextInst = content;
keyStoreInst = ks;
keyManagerFactoryInst = kmf;
trustManagerFactoryInst = tmf;
}
public Socket startNegotiation(boolean connectServer) {
KeyStore ks = null;
KeyManagerFactory kmf = null;
SSLContext sslContext = null;
SSLSocket sslSocket = null;
try {
ks = KeyStore.getInstance(keyStoreInst);
ks.load(this.getClass().getResourceAsStream(keyStore),
keyStorePass);
kmf = KeyManagerFactory.getInstance(keyManagerFactoryInst);
kmf.init(ks, keyPassword);
sslContext = SSLContext.getInstance(sslContextInst);
if (trustManagerFactoryInst == null)
sslContext.init(kmf.getKeyManagers(), null, null);
else {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(trustManagerFactoryInst);
tmf.init(ks);
sslContext.init(kmf.getKeyManagers(),
tmf.getTrustManagers(),
new java.security.SecureRandom());
}
SSLSocketFactory factory = sslContext.getSocketFactory();
if (socket != null)
sslSocket = (SSLSocket) factory.createSocket(socket, host, port,
false);
else
sslSocket = (SSLSocket) factory.createSocket(host, port);
sslSocket.setUseClientMode(connectServer);
sslSocket.setEnabledCipherSuites(sslSocket.getSupportedCipherSuites());
if (connectServer)
sslSocket.startHandshake();
} catch (UnknownHostException uhe) {
uhe.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
} finally {
return sslSocket;
}
}
}
|
|
0
|
|
|
|
Reply
|
 ping0613 (10)
|
1/14/2005 9:30:43 AM |
|
Jakekeke wrote:
> Dear All,
>
> I use JSSE to implement a proxy server which support http/https.
> However, I find my code can't support some secure site which provide a
> certificate which doesn't signed by CA.
>
>
> what should i do to accept the self-sign certificate?
>
> Thank,
> Jake
Hi Jake,
Because you are basically duplicating what I did in WebScarab, I suggest
that you check the source code for URLFetcher.java in the WebScarab
source code (on Sourceforge). I think you have looked at it before . . .
But to save you some time, here are the relevant snippets below.
Regards,
Rogan
// Create a trust manager that does not validate certificate chains
private static TrustManager[] _trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void
checkClientTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
}
public void
checkServerTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
}
}
};
private static void initSSLSocketFactory(KeyManager[] managers) {
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(managers, _trustAllCerts, new
java.security.SecureRandom());
_factory = (SSLSocketFactory)sc.getSocketFactory();
} catch (NoSuchAlgorithmException nsae) {
_logger.severe("NoSuchAlgorithmException setting up SSL
support: " + nsae);
_factory = null;
} catch (KeyManagementException kme) {
_logger.severe("KeyManagementException setting up SSL
support: " + kme);
_factory = null;
}
}
--
Rogan Dawes
*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"
|
|
|
0
|
|
|
|
Reply
|
 Rogan
|
1/14/2005 11:24:54 AM
|
|
Rogan Dawes wrote:
> Jakekeke wrote:
>
>> Dear All,
>>
>> I use JSSE to implement a proxy server which support http/https.
>> However, I find my code can't support some secure site which provide a
>> certificate which doesn't signed by CA.
>>
>
>>
>> what should i do to accept the self-sign certificate?
>>
>> Thank,
>> Jake
>
>
> Hi Jake,
>
> Because you are basically duplicating what I did in WebScarab, I suggest
> that you check the source code for URLFetcher.java in the WebScarab
> source code (on Sourceforge). I think you have looked at it before . . .
>
> But to save you some time, here are the relevant snippets below.
>
> Regards,
>
> Rogan
>
> // Create a trust manager that does not validate certificate chains
> private static TrustManager[] _trustAllCerts = new TrustManager[]{
> new X509TrustManager() {
> public java.security.cert.X509Certificate[]
> getAcceptedIssuers() {
> return null;
> }
> public void
> checkClientTrusted(java.security.cert.X509Certificate[] certs, String
> authType) {
> }
> public void
> checkServerTrusted(java.security.cert.X509Certificate[] certs, String
> authType) {
> }
> }
> };
>
>
> private static void initSSLSocketFactory(KeyManager[] managers) {
> try {
> SSLContext sc = SSLContext.getInstance("SSL");
> sc.init(managers, _trustAllCerts, new
> java.security.SecureRandom());
> _factory = (SSLSocketFactory)sc.getSocketFactory();
> } catch (NoSuchAlgorithmException nsae) {
> _logger.severe("NoSuchAlgorithmException setting up SSL
> support: " + nsae);
> _factory = null;
> } catch (KeyManagementException kme) {
> _logger.severe("KeyManagementException setting up SSL
> support: " + kme);
> _factory = null;
> }
> }
>
There is an example at this page, as well:
http://jcaldwel.blogspot.com/2005/01/custom-x509trustmanager-java-to-trust.html
|
|
|
0
|
|
|
|
Reply
|
Jon
|
1/14/2005 2:24:06 PM
|
|
Create a keystore which contains the public key of the Server and
try to set the following property.
System.setProperty("javax.net.ssl.trustStore", keystoreLocation);
Jakekeke wrote:
> Dear All,
>
> I use JSSE to implement a proxy server which support http/https.
> However, I find my code can't support some secure site which provide a
> certificate which doesn't signed by CA.
>
> and here is the error message:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate
> found
> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
> at Proxy.SSLNegotiation.startNegotiation(SSLNegotiation.java:101)
> at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:383)
> at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
> at Proxy.ProxyProcess.run(ProxyProcess.java:107)
> Caused by: sun.security.validator.ValidatorException: No trusted
> certificate found
> at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
> at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
> at sun.security.validator.Validator.validate(Validator.java:202)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
> at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
> ... 10 more
> java.net.SocketException: Socket is closed
> at java.net.Socket.setSoTimeout(Socket.java:920)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA12275)
> at Proxy.HttpResp.<init>(HttpResp.java:53)
> at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:385)
> at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
> at Proxy.ProxyProcess.run(ProxyProcess.java:107)
>
> what should i do to accept the self-sign certificate?
>
> Thank,
> Jake
>
>
> Here is my code.
>
>
> package Proxy;
> import java.io.IOException;
> import java.net.Socket;
> import java.net.UnknownHostException;
> import java.security.KeyStore;
>
> import javax.net.ssl.KeyManagerFactory;
> import javax.net.ssl.SSLContext;
> import javax.net.ssl.SSLSocket;
> import javax.net.ssl.SSLSocketFactory;
> import javax.net.ssl.TrustManagerFactory;
>
> public class SSLNegotiation {
> private Socket socket = null;
> private String host = null;
> private int port;
> private String keyStore = null;
> private char keyStorePass[] = null;
> private char keyPassword[] = null;
> private String sslContextInst = null;
> private String keyStoreInst = null;
> private String keyManagerFactoryInst = null;
> private String trustManagerFactoryInst = null;
>
> public SSLNegotiation(Socket socket) {
> this.socket = socket;
> host = socket.getInetAddress().getHostName();
> port = socket.getPort();
> }
>
> public SSLNegotiation(String host, int port) {
> this.host = host;
> this.port = port;
> }
>
> public SSLNegotiation(Socket socket, String host, int port) {
> this.socket = socket;
> this.host = host;
> this.port = port;
> }
>
> public void importKeyStore(String ks, String ksp) {
> importKeyStore(ks, ksp, ksp);
> }
>
> public void importKeyStore(String ks, String ksp, String kp) {
> keyStore = ks;
> keyStorePass = ksp.toCharArray();
> keyPassword = kp.toCharArray();
> }
>
> public void setInstance(String content, String ks, String kmf, String
> tmf) {
> sslContextInst = content;
> keyStoreInst = ks;
> keyManagerFactoryInst = kmf;
> trustManagerFactoryInst = tmf;
> }
>
> public Socket startNegotiation(boolean connectServer) {
> KeyStore ks = null;
> KeyManagerFactory kmf = null;
> SSLContext sslContext = null;
> SSLSocket sslSocket = null;
>
> try {
> ks = KeyStore.getInstance(keyStoreInst);
> ks.load(this.getClass().getResourceAsStream(keyStore),
> keyStorePass);
> kmf = KeyManagerFactory.getInstance(keyManagerFactoryInst);
> kmf.init(ks, keyPassword);
> sslContext = SSLContext.getInstance(sslContextInst);
> if (trustManagerFactoryInst == null)
> sslContext.init(kmf.getKeyManagers(), null, null);
> else {
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(trustManagerFactoryInst);
> tmf.init(ks);
> sslContext.init(kmf.getKeyManagers(),
> tmf.getTrustManagers(),
> new java.security.SecureRandom());
> }
>
> SSLSocketFactory factory = sslContext.getSocketFactory();
>
> if (socket != null)
> sslSocket = (SSLSocket) factory.createSocket(socket, host, port,
> false);
> else
> sslSocket = (SSLSocket) factory.createSocket(host, port);
>
> sslSocket.setUseClientMode(connectServer);
> sslSocket.setEnabledCipherSuites(sslSocket.getSupportedCipherSuites());
> if (connectServer)
> sslSocket.startHandshake();
>
> } catch (UnknownHostException uhe) {
> uhe.printStackTrace();
> } catch (IOException ioe) {
> ioe.printStackTrace();
> } catch (Exception e) {
> e.printStackTrace();
> } finally {
> return sslSocket;
> }
> }
> }
|
|
|
0
|
|
|
|
Reply
|
Sebastian
|
1/18/2005 8:47:09 AM
|
|
> Create a keystore which contains the public key of the Server and
> try to set the following property.
> System.setProperty("javax.net.ssl.trustStore", keystoreLocation);
and System.setProperty("javax.net.ssl.trustStorePassword",password);
if necessary.
regards,
artur
|
|
|
0
|
|
|
|
Reply
|
Artur
|
1/23/2005 6:47:16 PM
|
|
|
4 Replies
417 Views
(page loaded in 0.147 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
1258 articles. 
2 followers. 