Daniel /group
i am using jsse 1.0.2 and am using trustmanager to trust all certs but i am still
getting "Could not find trusted cert in chain." , Looks like JSSE is still trying to
trust my certificate (which on our server is dummy expired cert from verisign ..for
now).
I saw somewhere on internet that - it could be a bug for JSSE when used with JRE 1.3.1
. Please let me know if this is true and/or if there is anyway round it.
I am using following code to trust all -
##############################
Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
//FOR JSSE 1.0.3
System.setProperty("java.protocol.handler.pkgs","javax.net.ssl");
/*
Provider [] provs = Security.getProviders();
for (int i = 0 ; i < provs.length; i++) {
System.out.println("");
System.out.println(provs[i].getName());
System.out.println(provs[i].getInfo());
provs[i].list(System.out);
}
*/
//
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public boolean isServerTrusted(java.security.cert.X509Certificate[] certs){
return true;
}
public boolean isClientTrusted(java.security.cert.X509Certificate[] certs){
return true;
}
}
};
// to Install the all-trusting trust manager
try{
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
//followed by SOAP calls.
URL url = null;
url = new URL(endpoint);
Call call = new Call();
SOAPHTTPConnection shc = new SOAPHTTPConnection ();
shc.setMaintainSession (true);
shc.setCookieHeader(smCookies);
call.setSOAPTransport (shc);
call.setSOAPMappingRegistry(smr);
call.setTargetObjectURI(targetObjURI);
call.setEncodingStyleURI(Constants.NS_URI_SOAP_ENC);
call.setMethodName("construct_query");
call.setParams(params);
Response resp = call.invoke ( url, "" );
###########################################################
ALSO attached is the DEBUG TRACE when i have SSL DEBUG turned on for JRUN JVM
<file attached>
ANy help will be really useful.
thanks
MS
-----Original Message-----
From: Daniel Zhang [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 03, 2004 2:04 PM
To: [EMAIL PROTECTED]
Subject: Re: apache 2.3.1 and SSL
A good reference page for Tomcat -
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
Sun's JSSE page for J2SDK 1.2.x and 1.3.x -
http://java.sun.com/products/jsse/index-103.html
A page for JRUN -
http://teaching.cs.uml.edu/~heines/tools/JRun4/docs/html/Programmers_Guide/wssecurity4.html
You need SSL certificates say from Verisign, Thawte or whatever(for
testing, you can make self-signed certificates). You have to put
certificates into keystores (or programmatically get that). Also you
need to configure your servers. Finally change SOAP calls from HTTP to
HTTPs.
Daniel
Sinha, Madhukar [IT] wrote:
> I have JSSE 1.0.2 , does apache SOAP have a minimum requirement of
> JSSE 1.0.3? we are using J2SE 1.3.0 here
>
> thanks
> madhukar
>
>
> -----Original Message-----
> *From:* Sinha, Madhukar [IT]
> *Sent:* Thursday, June 03, 2004 1:38 PM
> *To:* [EMAIL PROTECTED]
> *Subject:* apache 2.3.1 and SSL
>
> Hello
>
> I have SOAP webservices running under JRUN . Our server is moving
> to SSL. I understand that no changes need to be done on server side.
>
> but if i have java WEBservice clients - can someone suggest me
> examples or how/what change will be needed . I saw that we need
> JSSE 1.2.1 or higher. Please help with some information.
>
> Please help
>
> Thanks
> MS
>
>
>
adding as trusted cert: [
[
Version: V3
Subject: [EMAIL PROTECTED], CN=Thawte Premium Server CA, OU=Certification Services
Division, O=Thawte Consulting cc, L=Cape To
wn, ST=Western Cape, C=ZA
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: [EMAIL PROTECTED]
Validity: [From: Wed Jul 31 20:00:00 EDT 1996,
To: Thu Dec 31 18:59:59 EST 2020]
Issuer: [EMAIL PROTECTED], CN=Thawte Premium Server CA, OU=Certification Services
Division, O=Thawte Consulting cc, L=Cape Tow
n, ST=Western Cape, C=ZA
SerialNumber: [ 01]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 26 48 2C 16 C2 58 FA E8 16 74 0C AA AA 5F 54 3F &H,..X...t..._T?
0010: F2 D7 C9 78 60 5E 5E 6E 37 63 22 77 36 7E B2 17 ...x`^^n7c"w6...
0020: C4 34 B9 F5 08 85 FC C9 01 38 FF 4D BE F2 16 42 .4.......8.M...B
0030: 43 E7 BB 5A 46 FB C1 C6 11 1F F1 4A B0 28 46 C9 C..ZF......J.(F.
0040: C3 C4 42 7D BC FA AB 59 6E D5 B7 51 88 11 E3 A4 ..B....Yn..Q....
0050: 85 19 6B 82 4C A4 0C 12 AD E9 A4 AE 3F F1 C3 49 ..k.L.......?..I
0060: 65 9A 8C C5 C8 3E 25 B7 94 99 BB 92 32 71 07 F0 e....>%.....2q..
0070: 86 5E ED 50 27 A6 0D A6 23 F9 BB CB A6 07 14 42 .^.P'...#......B
]
adding as trusted cert: [
[
Version: V1
Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: [EMAIL PROTECTED]
Validity: [From: Sun Jan 28 19:00:00 EST 1996,
To: Wed Jan 07 18:59:59 EST 2004]
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
SerialNumber: [ ba5ac94c 053b92d6 a7b6df4e d053920d ]
]
Algorithm: [MD2withRSA]
Signature:
0000: B6 00 1F 93 57 A4 07 A7 40 CE 65 40 3F 55 5E ED [EMAIL PROTECTED]@?U^.
0010: EF FA 54 49 A5 30 D6 21 7C 61 87 EE 83 93 0B BF ..TI.0.!.a......
0020: B4 33 F2 98 AC 9F 06 BF 4E A8 CE 14 81 4C CB 04 .3......N....L..
0030: 4E 58 C3 CF 5F EE 7C D7 9A 6F CB 41 8A B7 7F 81 NX.._....o.A....
0040: B8 FF 84 61 C6 27 43 65 1D 0C EC B1 00 0A DD 1B ...a.'Ce........
0050: A4 BB C7 78 20 28 B2 A2 DD 36 95 2E E1 54 4F BF ...x (...6...TO.
0060: 60 B9 77 68 11 99 23 E8 EA 52 E8 AA 00 4E 67 4E `.wh..#..R...NgN
0070: BB 90 B5 45 9B 46 EB 8E 16 EF C4 33 5B 33 3D D5 ...E.F.....3[3=.
]
init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 1070097994 bytes = { 241, 125, 43, 145, 152, 122, 211, 100, 65,
145, 237, 217, 19, 180, 107, 186, 217, 23, 110, 159, 124, 88, 222
, 22, 44, 51, 41, 138 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 40 C8 66 4A F1 7D 2B 91 98 7A [EMAIL PROTECTED]
0010: D3 64 41 91 ED D9 13 B4 6B BA D9 17 6E 9F 7C 58 .dA.....k...n..X
0020: DE 16 2C 33 29 8A 00 00 10 00 05 00 04 00 09 00 ..,3)...........
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
jcp-1, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 [EMAIL PROTECTED]
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 40 C8 66 [EMAIL PROTECTED]
0030: 4A F1 7D 2B 91 98 7A D3 64 41 91 ED D9 13 B4 6B J..+..z.dA.....k
0040: BA D9 17 6E 9F 7C 58 DE 16 2C 33 29 8A ...n..X..,3).
jcp-1, WRITE: SSL v2, contentType = 22, translated length = 16310
jcp-1, READ: SSL v3.0 Handshake, length = 1172
*** ServerHello, v3.0
RandomCookie: GMT: 17119 bytes = { 156, 170, 29, 131, 68, 3, 11, 117, 47, 234, 79,
193, 191, 19, 110, 86, 104, 217, 199, 182, 147, 109, 168, 122, 18
4, 204, 67, 45 }
Session ID: {84, 120, 139, 166, 221, 86, 149, 141, 37, 178, 3, 214, 237, 101, 245,
141, 165, 152, 206, 120, 48, 237, 163, 169, 243, 99, 99, 110, 43,
246, 245, 142}
Cipher Suite: { 0, 4 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 00 00 43 DF 9C AA 1D 83 44 03 ...F....C.....D.
0010: 0B 75 2F EA 4F C1 BF 13 6E 56 68 D9 C7 B6 93 6D .u/.O...nVh....m
0020: A8 7A B8 CC 43 2D 20 54 78 8B A6 DD 56 95 8D 25 .z..C- Tx...V..%
0030: B2 03 D6 ED 65 F5 8D A5 98 CE 78 30 ED A3 A9 F3 ....e.....x0....
0040: 63 63 6E 2B F6 F5 8E 00 04 00 ccn+......
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.nssb-direct.com, OU=miscellaneous, O=Citigroup, L=New York, ST=New
York, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: [EMAIL PROTECTED]
Validity: [From: Wed Mar 06 19:00:00 EST 2002,
To: Sat Mar 06 18:59:59 EST 2004]
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=
VeriSign Trust Network
SerialNumber: [ 3bdba900 f156d870 0cf16f6b dd0e1631 ]
Certificate Extensions: 6
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 28 30 26 30 24 06 08 2B 06 01 05 05 07 30 01 .(0&0$..+.....0.
0010: 86 18 68 74 74 70 3A 2F 2F 6F 63 73 70 2E 76 65 ..http://ocsp.ve
0020: 72 69 73 69 67 6E 2E 63 6F 6D risign.com
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]
[3]: ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 A4 30 81 A1 30 81 9E 06 0B 60 86 48 01 86 ...0..0....`.H..
0010: F8 45 01 07 01 01 30 81 8E 30 28 06 08 2B 06 01 .E....0..0(..+..
0020: 05 05 07 02 01 16 1C 68 74 74 70 73 3A 2F 2F 77 .......https://w
0030: 77 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F ww.verisign.com/
0040: 43 50 53 30 62 06 08 2B 06 01 05 05 07 02 02 30 CPS0b..+.......0
0050: 56 30 15 16 0E 56 65 72 69 53 69 67 6E 2C 20 49 V0...VeriSign, I
0060: 6E 63 2E 30 03 02 01 01 1A 3D 56 65 72 69 53 69 nc.0.....=VeriSi
0070: 67 6E 27 73 20 43 50 53 20 69 6E 63 6F 72 70 2E gn's CPS incorp.
0080: 20 62 79 20 72 65 66 65 72 65 6E 63 65 20 6C 69 by reference li
0090: 61 62 2E 20 6C 74 64 2E 20 28 63 29 39 37 20 56 ab. ltd. (c)97 V
00A0: 65 72 69 53 69 67 6E eriSign
[4]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 3F 30 3D 30 3B A0 39 A0 37 86 35 68 74 74 70 .?0=0;.9.7.5http
0010: 3A 2F 2F 63 72 6C 2E 76 65 72 69 73 69 67 6E 2E ://crl.verisign.
0020: 63 6F 6D 2F 43 6C 61 73 73 33 49 6E 74 65 72 6E com/Class3Intern
0030: 61 74 69 6F 6E 61 6C 53 65 72 76 65 72 2E 63 72 ationalServer.cr
0040: 6C l
[5]: ObjectId: 2.5.29.37 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 21 30 1F 06 09 60 86 48 01 86 F8 42 04 01 06 .!0...`.H...B...
0010: 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 .+.........+....
0020: 07 03 02 ...
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 7A 80 17 22 85 AC DC 27 AF 17 60 55 64 02 FF 09 z.."...'..`Ud...
0010: 85 FD B2 CD F4 CB B0 45 0C 10 C5 84 EE 90 F1 6F .......E.......o
0020: A1 AE 1A C5 BA 1B A2 67 1B 9D B1 64 1D B6 7C CB .......g...d....
0030: 46 C0 E5 A1 F4 82 FB 30 30 2B B0 D1 4C 7A 7D DA F......00+..Lz..
0040: 8C DC C1 A8 64 77 38 6C EA E0 01 75 64 6C 1C CE ....dw8l...udl..
0050: BB E5 37 67 3F 33 D4 56 0D 2B 6B EF 05 C2 C9 32 ..7g?3.V.+k....2
0060: E7 A0 DD 7C ED 8D 12 C7 C6 3B 45 EF A9 AF 14 E1 .........;E.....
0070: C4 C9 A4 9F C3 14 46 90 55 02 B2 E6 12 09 35 FD ......F.U.....5.
]
***
Could not find trusted cert in chain.
jcp-1, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
jcp-1, WRITE: SSL v3.0 Alert, length = 2
