|
|
Trouble with HTTPS connection (certificate problem)
Hello,
I know this is a FAQ, but after searching, reading, and trying several
things,
I am still running into this problem. Thanks in advance for your help.
I'm attempting to connect to a server via HTTPS from a Java client.
I have downloaded the server's certificate using IE and saved it in a
file.
I have (I believe) imported the certificate into my keystore:
keytool -keystore ~/.keystore -import -file FOO.cer -alias BAR
-trustcacerts
keytool -list does show the certificate is in the ~/.keystore file.
I execute my Java client with options
-Djavax.net.ssl.keyStore=/path/to/.keystore
-Djavax.net.ssl.keyStorePassword=***
When I try to connect via HTTPS, I get two errors: one for an expired
certificate (which I expected, because the certificate is indeed
expired,
and I am trying to solve that separately by installing a custom SSL
socket factory), and the second error is
"java.security.cert.CertificateException:
Untrusted Server Certificate Chain", which I didn't expect.
I have also tried putting
-Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_06/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=***
on the command line -- no effect. What else can I try?
I have also implemented a custom SSL socket factory and custom trust
manager in an attempt to work around the expired certificate,
and in the Java client put
java.security.Security.setProperty ("ssl.SocketFactory.provider",
"my.customFactory");
and also tried -Dssl.SocketFactory.provider=my.customFactory, both
to no effect. What else can I try here?
Do I also need a setting for the trust manager?
Thanks a lot for your help.
Robert Dodier
|
|
0
|
|
|
|
Reply
|
 robert.dodier (153)
|
6/20/2006 10:18:32 PM |
|
robert.dodier@gmail.com wrote:
> I'm attempting to connect to a server via HTTPS from a Java client.
> I have downloaded the server's certificate using IE and saved it in a
> file.
> I have (I believe) imported the certificate into my keystore:
>
> keytool -keystore ~/.keystore -import -file FOO.cer -alias BAR
> -trustcacerts
>
> keytool -list does show the certificate is in the ~/.keystore file.
>
> I execute my Java client with options
>
> -Djavax.net.ssl.keyStore=/path/to/.keystore
> -Djavax.net.ssl.keyStorePassword=***
All the above should refer to 'truststore' instead of 'keystore'
including the system property name. A keystore is a source for your
*own* cert when sending to others; a truststore is a place to check
incoming certs against.
> I have also tried putting
> -Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_06/jre/lib/security/cacerts
> -Djavax.net.ssl.trustStorePassword=***
> on the command line -- no effect. What else can I try?
But have you put the server's cert into there? That's where it belongs.
> java.security.Security.setProperty ("ssl.SocketFactory.provider",
> "my.customFactory");
>
> and also tried -Dssl.SocketFactory.provider=my.customFactory, both
> to no effect. What else can I try here?
You don't need to do this. Just get yourself an SSLContext and
initialize it appropriately with implementations of your own
TrustManager, then get your SSLSocketFactory/SSLServerSocketFactory from
that SSLContext. There's some guidance on this in the Javadoc Guide to
Features/Security/JSSE Reference.
|
|
|
0
|
|
|
|
Reply
|
 EJP
|
6/21/2006 5:44:34 AM
|
|
EJP wrote:
> robert.dodier@gmail.com wrote:
>
>> I'm attempting to connect to a server via HTTPS from a Java client.
>> I have downloaded the server's certificate using IE and saved it in a
>> file.
>> I have (I believe) imported the certificate into my keystore:
>>
>> keytool -keystore ~/.keystore -import -file FOO.cer -alias BAR
>> -trustcacerts
>>
>> keytool -list does show the certificate is in the ~/.keystore file.
>>
>> I execute my Java client with options
>>
>> -Djavax.net.ssl.keyStore=/path/to/.keystore
>> -Djavax.net.ssl.keyStorePassword=***
>
> All the above should refer to 'truststore' instead of 'keystore'
> including the system property name. A keystore is a source for your
> *own* cert when sending to others; a truststore is a place to check
> incoming certs against.
>
>> I have also tried putting
>> -Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_06/jre/lib/security/cacerts
>> -Djavax.net.ssl.trustStorePassword=***
>> on the command line -- no effect. What else can I try?
>
> But have you put the server's cert into there? That's where it belongs.
>
>> java.security.Security.setProperty ("ssl.SocketFactory.provider",
>> "my.customFactory");
>>
>> and also tried -Dssl.SocketFactory.provider=my.customFactory, both
>> to no effect. What else can I try here?
>
> You don't need to do this. Just get yourself an SSLContext and
> initialize it appropriately with implementations of your own
> TrustManager, then get your SSLSocketFactory/SSLServerSocketFactory from
> that SSLContext. There's some guidance on this in the Javadoc Guide to
> Features/Security/JSSE Reference.
For what it is worth, there is a short program demonstrating various
aspects of the Java SSL implementation (with some 1.5 specific features)
on my website at <http://dawes.za.net/rogan/PKCS11Test.java>
It demonstrates using a PKCS#11 provider, using a TrustManager, using a
KeyManager, using a HostnameVerifier, etc.
Some of it may be useful to you.
However, I think that EJP's hit the nail on the head, with the
truststore vs keystore.
Rogan
|
|
|
0
|
|
|
|
Reply
|
Rogan
|
6/21/2006 7:22:37 AM
|
|
|
2 Replies
149 Views
(page loaded in 4.197 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
1258 articles. 
2 followers. 