IT WORKS, IT WORKS, IT WORKS.
this is the end of a two day nightmare putting in place ssl with jsse.
In my previous email attached here, everthing was fine ... exept that
keytool did not put the info where I wanted :
It put it in .keystore in my home directory :
mv .keystore $JAVA_HOME/lib/security/cacerts
There is an option in keytool to specify it at the command prompt :
-keystore cacerts ( jssecacerts)
keystore -list now matches keytool -list -keystore cacerts.
The second thing is that the file is password protected.
added the following code :
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.debug", "all");
/* System.setProperty("javax.net.ssl.keyStore","/tmp/keystore");
keystore is for use with a trus manager */
System.setProperty("javax.net.ssl.trustStorePassword","password");
/* X509TrustManager tm = new MyX509TrustManager();
KeyManager []km = null;
TrustManager []tma = {tm};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(km,tma,new java.security.SecureRandom());
// SSLSocketFactory sf1 = sc.getSocketFactory();
*/
URL url = new URL(strhost);
URLConnection uc = (URLConnection)url.openConnection();
More info at http://java.sun.com/products/jsse/CHANGES.txt
I've seen this problem posted since September 1999 without answer in the
sun java forums.
I will post here a troubleshooting script containing all the problems
I've been facing.
( problems to insert self trusted root certificates with keytool,
playing with certificate formats, writing servlet code, debugging with
s_client and
javax.net.debug.).
Thanks to the members of this mailing for this great mailing list.
Manu.
>
> Hi everybody,
> I hope it's the right place to post this question :
>
> It's related to jsse, keytool and openssl : I cannot have a servlet
> which ssl implementation is jsse work against an openssl server ( apache
> + mod_ssl )
>
> I have a servlet ( client ) that opens a ssl connection to another
> servlet ( server )
>
> "ssl" client code :
> java.security.Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
> System.setProperty("java.protocol.handler.pkgs",
> "com.sun.net.ssl.internal.www.protocol");
> System.setProperty("javax.net.debug", "all");
> URL url = new URL(strhost);
> URLConnection uc = (URLConnection)url.openConnection();
>
> the server servlet is under an apache directive with mod_ssl enabled
> and has no specific ssl java code : ssl connection is handled by
> apache+mod_ssl
>
> I generated my own cert CA Authority which signed my server certificate
> request :
> openssl genrsa -des -out ca.key 1024
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> openssl genrsa -des3 -out server.key 1024
> openssl req -new -key server.key -out server.csr
> sign server.csr
>
> restart apache
> https://myurl : Ok : new certificate window prompt. I can install it in
> a browser.
>
> Now I try to access an url from my client servlet :
> First setup jsse and default provider: ok
> import ca certificate into cacert with keytool :
> openssl x509 -in ca.crt -out ca.der -outform DER
> keytool -import -trustcacerts -alias mycatest -file ca.der ( keytool
> accept x509 certificates)
>
> import server certificate : ( because with the ca certificate it did
> not work )
> openssl x509 -in servera.crt -out server.der -outform DER
> keytool -import -trustcacerts -alias mycatest -file server.der
>
> keytool -list shows the two certificates.
>
> Connection with : openssl s_client -connect localhost:443 -state -debug
> depth=1 /C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=Emmanuel
> [EMAIL PROTECTED]
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> SSL_connect:SSLv3 read server certificate A
> ...
> ---
> Certificate chain
> 0
> s:[EMAIL PROTECTED]
>
> i:[EMAIL PROTECTED]
> 1 s:/C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=nickaname
> [EMAIL PROTECTED]
> i:/C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=nickaname
> [EMAIL PROTECTED]
> ---
> No client certificate CA names sent
>
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> Server public key is 512 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : EDH-RSA-DES-CBC3-SHA
> Session-ID:
> 610AF250BF396265C16FC34774F5AD3C7392DBCFFDF3F0336D61F1CA2251917C
> Session-ID-ctx:
> Master-Key:
>
>EB3C8F5C1E6B04DB527E0EBB802CA7C6224AC77944C9FC6C342D26C0970C3509FF28DB40837BA5AB368A7BDE3D402D0A
> Key-Arg : None
> Start Time: 966719686
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Connection with servlet / jsse :
> Compression Method: 0
> ***
> %% Created: [Session-1, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
> ** SSL_RSA_EXPORT_WITH_RC4_40_MD5
> [read] MD5 and SHA1 hashes: len = 74
> 0000: 02 00 00 46 03 01 39 9E F7 B3 CB 72 72 38 19 65
> ...F..9....rr8.e
> 0010: 92 AA D7 E4 4F 76 B2 9E 1B 80 25 45 6A EA 9D E7
> ....Ov....%Ej...
> 0020: 53 D4 E5 16 6B 43 20 49 8A D5 F4 47 35 4E 21 55 S...kC
> I...G5N!U
> 0030: 28 38 3A 49 C4 9A 51 3A 2E B0 26 99 60 83 B3 90
> (8:I..Q:..&.`...
> 0040: 13 E0 AA 91 51 E4 86 00 03 00 ....Q.....
> Thread-32, READ: SSL v3.1 Handshake, length = 1535
> *** Certificate chain
> chain [0] = [
> [
> Version: V1
> Subject: [EMAIL PROTECTED], CN=localhost, OU=servers,
> O=mycompany, L=paris, ST=france, C=fr
> Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
> Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@382c875d
> Validity: [From: Sat Aug 19 21:29:18 CEST 2000,
> To: Sun Aug 19 21:29:18 CEST 2001]
> Issuer: [EMAIL PROTECTED] CN=my name, OU=par,
> O=mycompany, L=paris, ST=france, C=FR
> SerialNumber: [ 03]
>
> ]
> Algorithm: [MD5withRSA]
> Signature:
> 0000: 10 54 06 ED 9B 55 38 92 15 89 E8 77 CF A9 F2 0B
> .T...U8....w....
> 0010: 84 81 E7 CB 35 58 88 78 7A FF 86 22 1E 7F DE 4A
> ....5X.xz.."...J
> 0020: 41 0D 8A 22 E8 84 ED C9 E6 8C AA 75 B8 7F B1 54
> A..".......u...T
> 0030: 9D 25 57 8C 22 73 57 3B 9E 18 48 9B 40 22 B4 A9
> .%W."sW;..H.@"..
> 0040: D2 98 4B 24 79 C8 2B 41 8D D1 7A BF 4A 3E CD 8A
> ..K$y.+A..z.J>..
> 0050: 0C 9D 78 D5 0A 39 30 C1 1A D6 C4 6F 45 64 7F 48
> ..x..90....oEd.H
> 0060: D9 35 04 F2 49 B3 BC B5 BE EB 0B 9B C1 D1 EE 00
> .5..I...........
> 0070: 8B 90 DA D0 1E 8D DC B0 0A F9 AA 1A BD 13 75 AB
> ..............u.
>
> ]
> chain [1] = [
> [
> Version: V3
> Subject: [EMAIL PROTECTED], CN=my name, OU=par,
> O=mycompany, L=paris, ST=france, C=FR
> Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
> Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@2c71075d
> Validity: [From: Sat Aug 19 01:20:27 CEST 2000,
> To: Sun Aug 19 01:20:27 CEST 2001]
> Issuer: [EMAIL PROTECTED] CN=my name, OU=par,
> O=mycompany, L=paris, ST=france, C=FR
> SerialNumber: [ 0 ]
> Certificate Extensions: 3
> [1]: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: C2 A1 D8 A0 F6 43 E8 4C B8 21 73 ED 2F F1 A9 02
> .....C.L.!s./...
> 0010: 7F 69 79 C0 .iy.
> ]
> ]
>
> [2]: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: C2 A1 D8 A0 F6 43 E8 4C B8 21 73 ED 2F F1 A9 02
> .....C.L.!s./...
> 0010: 7F 69 79 C0 .iy.
> ]
>
> [[EMAIL PROTECTED], CN=my name, OU=par, O=mycompany,
> L=paris, ST=france, C=FR]
> SerialNumber: [ 0 ]
> ]
>
> [3]: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
>
> ]
> Algorithm: [MD5withRSA]
> Signature:
> 0000: 5A CE 83 37 B3 EA DD 0E 35 42 E8 50 F4 46 21 E7
> Z..7....5B.P.F!.
> 0010: 0B 7D 0C D8 0C F2 85 87 19 9A 85 67 86 B5 39 74
> ...........g..9t
> 0020: 83 F1 07 16 97 E7 AC 57 00 3D 61 53 5F F3 EE 72
> .......W.=aS_..r
> 0030: 82 93 04 9B 27 98 E1 AD 2D 48 A7 94 D7 70 8F 58
> ....'...-H...p.X
> 0040: 07 C2 2E 2F 10 6B 39 C8 3B B6 7E F7 A2 05 68 51
> .../.k9.;.....hQ
> 0050: 52 83 06 87 16 B6 26 AA 60 2B 8B DF 2D 0D 67 03
> R.....&.`+..-.g.
> 0060: F1 3B 48 52 68 E8 E9 F4 47 75 AE AE A7 13 4B 63
> .;HRh...Gu....Kc
> 0070: E0 49 65 58 B9 11 B3 04 58 7E 02 8C 6A E9 83 2B
> .IeX....X...j..+
>
> ]
> ***
> Thread-32, SEND SSL v3.1 ALERT: fatal, description =
> certificate_unknown
> Thread-32, WRITE: SSL v3.1 Alert, length = 2
> error
> javax.net.ssl.SSLException: untrusted server cert chain
>
> and /var/log/httpd/ssl_engine.log
> [19/aoû/2000 23:08:54 11755] [info] Init: Configuring server
> localhost:443 for SSL protocol
> [19/aoû/2000 23:09:00 11757] [info] Connection to child 0 established
> (server localhost:443, client 127.0.0.1)
> [19/aoû/2000 23:09:00 11757] [info] Seeding PRNG with 1160 bytes of
> entropy
> [19/aoû/2000 23:09:00 11757] [info] Connection: Client IP: 127.0.0.1,
> Protocol: TLSv1, Cipher: EDH-RSA-DES-CBC3-SHA (168/168 bits)
> [19/aoû/2000 23:10:10 11758] [info] Connection to child 1 established
> (server localhost:443, client 127.0.0.1)
> [19/aoû/2000 23:10:10 11758] [info] Seeding PRNG with 1160 bytes of
> entropy
> [19/aoû/2000 23:10:13 11758] [error] SSL handshake failed (server
> localhost:443, client 127.0.0.1) (OpenSSL library error follows)
> [19/aoû/2000 23:10:13 11758] [error] OpenSSL: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>
> What I'm I missing to make it work.
> I first thought that the certificate chain was not sent by the server, I
> enabled it in mod_ssl configuration
> SSLCertificateChainFile conf/ssl/ca.crt
>
> Connection seams to be fine with s_connect : it accepts the certificate
> chain, but not my client servlet ????
>
> I'm starting to lack of ideas.
> Do you see something wrong with the steps I followed ?
>
> Maybe generate a server.key and certificate request from keytool, not
> from openssl ?
> I've seen a solution with sockets connection :Implement a personal
> X509TrustManager java class in this way :
> class MyX509TrustManager implements X509TrustManager
> {
> public boolean
> isClientTrusted(java.security.cert.X509Certificate[] chain)
> {
> return true;
> }
> public boolean
> isServerTrusted(java.security.cert.X509Certificate[] chain)
> {
> return true;
> }
> public java.security.cert.X509Certificate[] getAcceptedIssuers()
> {
> return null;
> }
> }
> But it's a lack of security to accept any untrusted certificate, in
> addtion I don' t know how to plug it to an http conection rather that
> socket object.
>
> I post this here beacause it seams a format issue needing experts in
> this area to answer this problem.
> The java discussion forum has hundred of unanswered problem like this
> one.
>
> Thanks in advance for your help.
> Manu.
--
Emmanuel Dreux
Mandrakesoft support team leader
( 33 1 ) 40 41 00 41
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
