Dave,
This explains the problems I have.
Indeed, it appears I need to install my home generated certificate in a
TrustManager.
I indeed get the SSL exception on the java side.
Thanks for the pointer
Frank
On 02/06/2009 03:07, "Dave Thompson" <dave.thomp...@princetonpayments.com>
wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
>> Sent: Friday, 29 May, 2009 20:29
>
>> "certificate unknown" means that the Java side sent an alert
>> to state that there's a problem with the certificate, but
>> it's not going to tell you what it is. It probably it
>> relates to the fact that the CA that you're using on your
>> openssl server isn't in the Java trust store.
>>
> More precisely, in the Java trust store _being used_.
> Java can support multiple trust (or key) stores if you want.
>
>> (The most correct and appropriate alert in this case would be
>> "unknown CA", but many implementations won't send the correct
>> code due to security policies that the developers make on
>> behalf of their API
>> clients.)
>>
>> -Kyle H
>>
>> On Fri, May 29, 2009 at 7:12 AM, Vyncke, Frank
>> <frank.vyn...@esko.com> wrote:
>
>>> I don't know exactly what this error means, so it hard to
>> check what I
>>> am doing wrong. I presume I will have to setup some
>> parameters on the
>>> JAVA side (the only thing I do different now versus the plain http
>>> setup is to change the URL to https).
>>>
> Meaning you use URL("https",...).openConnection -> HttpsURLConnection ?
> (And don't set[Default]SSLSocketFactory?) That should use the (system)
> default SSLSocketFactory, which under the standard configuration uses
> a SSLContext which has a default (X.509/PKIX) TrustManager which uses
> the store in <JRE>/lib/security/jssecacerts if present else cacerts
> (and a null X.509 KeyManager, which is usually okay for web clients).
>
> Your client should have gotten javax.net.ssl.SSLHandshakeException
> referencing/caused by sun.security.validator.ValidatorException
> and sun.security.provider.certpath.SunCertPathBuilderException .
> You might check to see if this was reported, or why not.
>
>>> Any body an idea, and/or info on the things I need to setup on the
>>> JAVA side ? I am using JAVA JRE 1.6
>>>
> See JSSERefGuide in the docs package under 'security' for (very!)
> full details. In brief, there are number of possibilities:
>
> - add the CAcert(s) you want to use to the default truststore(s)
> -- assuming you have access on the client machine(s) and this
> doesn't interfere with (endanger?) any other Java app(s) there
>
> - put the CAcert(s) you want to use in your own truststore
> (per-app or per-user or whatever) and configure to use that
>
> - get for your server and use a cert under a 'wellknown' CA
> that is already in the distributed cacerts -- may cost money
>
> - have your client(s) request/allow anonymous ciphersuite(s)
> and your server use no certificate at all -- loses the benefit
> of server authentication
>
> - write your own TrustManager and/or CertPathValidator to do
> whatever you want (get certs or other auth data from other
> sources like LDAP or DNS or whatever, and accept or reject
> the server based on other information than the certs or
> fetched data such as hardcoding, manual choice, ...)
> -- quite a bit more complicated
>
> Note that HttpsURLConnection also verifies that the server
> cert's name matches the desired (requested) URL.host.
> I'm not sure of the exact (default) rules since I use the
> lower-level SSL[Server]Socket which leaves this check to me.
> According to the docs this can be overridden by writing
> and setting your own HostnameVerifier .
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
