Thanks Julius, Your solution is much easier to work with than the one I put together.
On 5/6/06, Julius Davies <[EMAIL PROTECTED]> wrote:
Hi, Sudip, I think I have a solution. You will need to download the latest version of "commons-ssl.jar" that I am working on. It now includes modified versions of the " org.apache.commons.httpclient.contrib.ssl" classes. http://juliusdavies.ca/commons-ssl/ I've created a TrustExample.java file for you. Try running its main method with the following jars in your classpath: commons-codec.jar commons-httpclient.jar commons-logging.jar commons-ssl.jar It should output the following: HTTPClient: HTTP/1.1 200 OK Java: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found Here's are two links to TrustExample.java (the second link uses HTML for syntax highlighting): http://juliusdavies.ca/commons-ssl/TrustExample.java http://juliusdavies.ca/commons-ssl/TrustExample.java.html I hope this helps. Thanks for your help testing the proxy feature of my commons-ssl Ping utility! I'm glad to hear it works! yours, Julius -----Original Message----- From: sudip shrestha [mailto:[EMAIL PROTECTED] Sent: Fri 5/5/2006 7:13 PM To: Julius Davies Cc: Subject: Re: Fwd: SSLHandshakeException with apache+tomcat httpd server It seemed to work ok.... I am sort of wondering how do I attach the my.keystore file with the applet. This was the output: -------------------------------- HEAD / HTTP/1.1 Host: mydomain.com Reading: ================================================================================ HTTP/1.1 302 Moved Temporarily Date: Sat, 06 May 2006 02:05:19 GMT Server: Apache Set-Cookie: JSESSIONID=87BD0090FE9C884140543A2F3662D0EE; Path=/; Secure Location: https://mydomain/actions/checkSession.do;jsessionid=87BD0090FE9C884140543A2F3662D0EE?method=checkSession Content-Type: httpd/unix-directory Server Certificate Chain for: [mydomain.com/ipaddx:443] ================================================================================ s.0: CN=mydomain.com, OU=InstantSSL, OU=IS, O=xxx, STREET=addr, STREET=xxx, L=xx, ST=xx, OID.add=00000-1892, C=US i.0: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- s.1: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE i.1: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US -----BEGIN CERTIFICATE----- MIIETzCCAzegAwIBAgIQHM5EYpUZep1jUvnyI6m2mDANBgkqhkiG9w0BAQUFADCB lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt SGFyZHdhcmUwHhcNMDUwNjA3MDgwOTEwWhcNMTkwNzA5MTgxOTIyWjBvMQswCQYD VQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0 IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5h bCBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/caM+by AAQtOeBOW+0fvGwPzbX6I7bO3psRM5ekKUx9k5+9SryT7QMa44/P5W1QWtaXKZRa gLBJetsulf24yr83OC0ePpFBrXBWx/BPP+gynnTKyJBU6cZfD3idmkA8Dqxhql4U j56HoWpQ3NeaTq8Fs6ZxlJxxs1BgCscTnTgHhgKo6ahpJhiQq0ywTyOrOk+E2N/O n+Fpb7vXQtdrROTHre5tQV9yWnEIN7N5ZaRZoJQ39wAvDcKSctrQOHLbFKhFxF0q fbe01sTurM0TRLfJK91DACX6YblpalgjEbenM49WdVn1zSnXRrcKK2W200JvFbK4 e/vv6V1T1TRaJwIDAQABo4G9MIG6MB8GA1UdIwQYMBaAFKFyXyYbKJhDlV0HN9WF lp1L0sNFMB0GA1UdDgQWBBStvZh6NLQm9/rEJlTvA73gJMtUGjAOBgNVHQ8BAf8E BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAQIwRAYDVR0f BD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmly c3QtSGFyZHdhcmUuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQByQhANOs4kClrwF8BW onvUOGCSjRK52zYZgDXYNjDtmr5rJ6NyPFDNn+JxkLpjYetIFMTbSRe679Bt8m7a gIAoQYFQtxMuyLnJegB2aEbQiIxh/tC21UcFF7ktdnDoTlA6w3pLuvunaI84Of3o 2YBrhzkTbCfaYk5JRlTpudW9DkUkHBsyx3nknPKnplkIGaK0jgn8E0n+SFabYaHk I9LroYT/+JtLefh9lgBdAgVv0UPbzoGfuDsrk/Zh+UrgbLFpHoVnElhzbkh64Z0X OGaJunQc68cCZu5HTn/aK7fBGMcVflRCXLVEQpU9PIAdGA8Ynvg684t8GMaKsRl1 jIGZ -----END CERTIFICATE----- On 5/5/06, Julius Davies <[EMAIL PROTECTED]> wrote: > > Hi, Sudip, > > Thanks for your interesting question! I added a "proxy" option to the > "commons-ssl.jar" tool. > > I realize you've already progressed on your problem, but would you mind > testing this option for me? > > Here's the lastest version: > > http://juliusdavies.ca/commons-ssl/ > > In particular: > > http://juliusdavies.ca/commons-ssl/commons-ssl.jar > > > Please try running: > > java -jar commons-ssl.jar -t [mydomain.com]:443 -r [myproxy.com]:80 > > Does it work? > > > > yours, > > Julius > > > ============================================================================== > Usage: java -jar commons-ssl.jar [options] > Options: (*=required) > * -t --target [hostname[:port]] default port=443 > -b --bind [hostname[:port]] default port=0 > "ANY" > -r --proxy [hostname[:port]] default port=80 > -c --client-cert [path to client certificate] *.jks or *.pfx > -p --password [client cert password] > > Example: > > java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat > ./pass.txt` > > ============================================================================== > > > On Fri, 2006-05-05 at 15:38 -0500, sudip shrestha wrote: > > I am not sure on how to deploy the my.keystore file with the > applet? Thanks > > for any suggestions. > > > > ---------- Forwarded message ---------- > > From: sudip shrestha <[EMAIL PROTECTED]> > > Date: May 5, 2006 2:08 PM > > Subject: Re: SSLHandshakeException with apache+tomcat httpd server > > To: Julius Davies <[EMAIL PROTECTED]> > > > > Hi, > > OK... This is what I did and fixed my problem: > > 1. I first got my keystore from CA-cert: > > keytool -import -trustcacerts -keystore my.keystore -file > > mydomain.com.crt-alias mydomainkey > > 2. Then added a line before creating new Protocol object with > > StrictSSLProtocolSocketFactory: > > ------------------ > > System.setProperty("javax.net.ssl.trustStore", "my.keystore"); > > > > Protocol stricthttps = new Protocol( "https", new > > StrictSSLProtocolSocketFactory(true), 443); > > httpclient.getHostConfiguration().setHost("mydomain.com", 443, > > stricthttps); > > > > httpclient.executeMethod( httpget ); > > System.out.println( new String( httpget.getResponseBody () ) ); > > > > System.out.println( httpget.getStatusLine() ); > > ------------------ > > Then, I was able to get secure urls normally from mydomain.com. But now > I > > am wondering how do I put my.keystore file in the client machine, as > these > > urls will be accessed by an Applet. > > > > > > > > On 5/5/06, sudip shrestha < [EMAIL PROTECTED]> wrote: > > > > > > Julius, Thanks for your replay. We have a proxy server to go thru... > How > > > do I define a proxy server/port in command line with java -jar > > > commons-ssl.jar -t [ mydomain.com]:443? > > > > > > Because, right now, this is all I get: > > > java.net.SocketTimeoutException: connect timed out > > > at java.net.PlainSocketImpl.socketConnect(Native Method) > > > at java.net.PlainSocketImpl.doConnect (Unknown Source) > > > at java.net.PlainSocketImpl.connectToAddress(Unknown Source) > > > at java.net.PlainSocketImpl.connect(Unknown Source) > > > at java.net.SocksSocketImpl.connect(Unknown Source) > > > at java.net.Socket.connect(Unknown Source) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect (Unknown > > > Source) > > > at org.apache.commons.ssl.SSLClient.createSocket( > SSLClient.java > > > :189) > > > at org.apache.commons.ssl.SSLClient.createSocket ( > SSLClient.java > > > :157) > > > at org.apache.commons.ssl.SSLClient.createSocket( > SSLClient.java > > > :149) > > > at org.apache.commons.ssl.Ping.main(Ping.java:136) > > > > > > > > > On 5/5/06, Julius Davies <[EMAIL PROTECTED]> wrote: > > > > > > > > Hi, Sudip, > > > > > > > > I'm working on a tool to help diagnose these kinds of problems. Can > you > > > > try this tool and report back on the output? > > > > > > > > http://juliusdavies.ca/commons-ssl/ > > > > > > > > In particular, download: > > > > > > > > http://juliusdavies.ca/commons-ssl/commons-ssl.jar > > > > > > > > And then run: > > > > > > > > java -jar commons-ssl.jar -t [ mydomain.com]:443 > > > > > > > > (You'll have to replace mydomain.com with the server in particular > that > > > > you are using.) > > > > > > > > yours, > > > > > > > > Julius > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: sudip shrestha [mailto:[EMAIL PROTECTED] > > > > Sent: Fri 5/5/2006 9:20 AM > > > > To: [email protected] > > > > Cc: > > > > Subject: SSLHandshakeException with apache+tomcat httpd > server > > > > > > > > Hi, > > > > I have apache httpd 2.0 server working with Tomcat 5.5.7 that server > > > > dynamic > > > > contents. Only HTTPS requests are allowed by this server. We have > a > > > > trusted certificate from a CA, comodo. I have written an applet that > > > > needs > > > > to talk to this server via ssl. > > > > I have added the cert from the CA to the jdk keystore with: keytool > > > > -import > > > > -file mydomain.com.crt. > > > > > > > > So, when I use this piece of code below to make a connection I get > an > > > > Exception: > > > > > > > > javax.net.ssl.SSLHandshakeException: > > > > sun.security.validator.ValidatorException: PKIX path buil > > > > ding failed: > sun.security.provider.certpath.SunCertPathBuilderException: > > > > unable to find valid > > > > certification path to requested target > > > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException > (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown > > > > Source) > > > > at > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (Unknown > > > > Source) > > > > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage > > > > (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop > (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record > (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord > (Unknown > > > > Source) > > > > at > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake > > > > (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord > > > > (Unknown > > > > Source) > > > > at com.sun.net.ssl.internal.ssl.AppOutputStream.write > (Unknown > > > > Source) > > > > at java.io.BufferedOutputStream.flushBuffer(Unknown Source) > > > > at java.io.BufferedOutputStream.flush(Unknown Source) > > > > at > > > > > org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream > > > > (HttpConnectio > > > > n.java:827) > > > > at org.apache.commons.httpclient.HttpMethodBase.writeRequest( > > > > HttpMethodBase.java:1975) > > > > > > > > at org.apache.commons.httpclient.HttpMethodBase.execute( > > > > HttpMethodBase.java:993) > > > > at > > > > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry > > > > (HttpMethodDirecto > > > > r.java:397) > > > > at > > > > org.apache.commons.httpclient.HttpMethodDirector.executeMethod( > > > > HttpMethodDirector.j > > > > ava:170) > > > > at org.apache.commons.httpclient.HttpClient.executeMethod( > > > > HttpClient.java:396) > > > > at org.apache.commons.httpclient.HttpClient.executeMethod( > > > > HttpClient.java:324) > > > > at main.main(main.java:54) > > > > Caused by: sun.security.validator.ValidatorException: PKIX path > building > > > > failed: sun.security . > > > > provider.certpath.SunCertPathBuilderException: unable to find valid > > > > certification path to requ > > > > ested target > > > > at sun.security.validator.PKIXValidator.doBuild(Unknown > Source) > > > > at sun.security.validator.PKIXValidator.engineValidate (Unknown > > > > Source) > > > > at sun.security.validator.Validator.validate(Unknown Source) > > > > at > > > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted > > > > (Unknown > > > > Source > > > > ) > > > > at > > > > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted > (Unknown > > > > Source > > > > ) > > > > ... 18 more > > > > Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: > > > > unable to find valid ce > > > > rtification path to requested target > > > > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown > > > > Source) > > > > at java.security.cert.CertPathBuilder.build(Unknown Source) > > > > ... 23 more > > > > ---------------------------------------------------------------- > > > > Test Code: > > > > --------------- > > > > HttpClient httpclient = new HttpClient(); > > > > GetMethod httpget = new GetMethod("https://mydomain.com/";); > > > > try { > > > > > > > > * //Protocol easyhttps = new Protocol("https", new > > > > EasySSLProtocolSocketFactory(), 443); > > > > //Protocol.registerProtocol("https", easyhttps);* > > > > > > > > httpclient.executeMethod(httpget); > > > > > > > > System.out.println( httpget.getStatusLine() ); > > > > > > > > } catch(Exception e) { > > > > e.printStackTrace (); > > > > } finally { > > > > httpget.releaseConnection(); > > > > } > > > > ---------------------------------------------------------------- > > > > > > > > I have tried this with/without the *EasySSLProtocolSocketFactory and > I > > > > get > > > > the same result. Searched through the archive but could not move > > > > forward. > > > > > > > > In my case, all the SSL requests are handled by apache first, so is > > > > there > > > > something else that I have to do to make it work?... thanks.... > > > > * > > > > > > > > > > > > > > > > > > > > > > > > -- > Julius Davies > Senior Application Developer, Technology Services > Credit Union Central of British Columbia > http://www.cucbc.com/ > Tel: 604-730-6385 > Cel: 604-868-7571 > Fax: 604-737-5910 > > 1441 Creekside Drive > Vancouver, BC > Canada > V6J 4S7 >
