Hi all,
I need a developer or consultant familiar with SSL using certificate authentication within HttpClient. My company has utterly failed in our attempt to interface with a financial processing gateway.
Our needs are quite simple: import the processor’s certificate, connect via SSL using Java, and sent HTTPS traffic. It appears as if our traffic isn’t even reaching their servers.
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
We have attempted to write our own X509KeyManager and X509TrustManager, as well as other recommended “hacks” from various sources. I’ve also attached an explanatory email we sent to their technical support detailing the problem.
At this point, the answer may be simple, or complex. Nonetheless, I think we have exhausted our options on the Java front, and need expertise in this field.
Please contact me as soon as possible regarding this need. If you want to offer free advice, I’m very open. However, I’m more than willing to pay you for your time. I’m available at lukas at somnia dot com, or at 404.581.9973.
Thanks for your time.
Lukas Bradley
|
From: Todd [EMAIL PROTECTED] Sent: Thursday, May 20, 2004 12:12 PM To: [EMAIL PROTECTED] Cc: 'Lukas Bradley'
Matt, can you see us trying to hit your server today. It looks like we should at least be sending 'hello' messages before the handshake begins. I don't know how much this means to you but I'll cut and paste my debug output of the whole handshake process and it may shed some light on this situation. Our IP should be: 66.56.10.115 Thanks again for your time. I owe you a beer after all this. Here's my debug output: Attempting to connect to https://www.epassporte.com/secure/b2bxfer.cgi?account=testaccount&pwd=passwo rd&trans_type=transfer&user_id=testaccount2&amount=2.00&descr=Transfer+of+Fu nds&pending=0 keyStore is : C:\dev\java\j2sdk1.4.2_04\jre\lib\security\dollarskeystore keyStore type is : jks init keystore init keymanager of type SunX509 trustStore is: C:\dev\java\j2sdk1.4.2_04\jre\lib\security\dollarstruststore trustStore type is : jks init truststore adding as trusted cert: Subject: O=Dollars.com, L=Atlanta, ST=GA, C=US Issuer: [EMAIL PROTECTED], CN=www.epassporte.com, OU=www.epassporte.com, O=www.epassporte.com, L=Marina del Rey, ST=CA, C=US Algorithm: DSA; Serial number: 0xe Valid from Fri Apr 16 18:09:30 EDT 2004 until Sat Apr 16 18:09:30 EDT 2005 init context trigger seeding of SecureRandom done seeding SecureRandom %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1068226183 bytes = { 137, 71, 120, 125, 179, 111, 149, 9, 1, 81, 12, 188, 0, 62, 27, 50, 201, 207, 35, 182, 44, 138, 64, 225, 157, 32, 96, 198 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } *** [write] MD5 and SHA1 hashes: len = 73 0000: 01 00 00 45 03 01 40 AC D7 87 89 47 78 7D B3 6F [EMAIL PROTECTED] 0010: 95 09 01 51 0C BC 00 3E 1B 32 C9 CF 23 B6 2C 8A ...Q...>.2..#.,. 0020: 40 E1 9D 20 60 C6 00 00 1E 00 04 00 05 00 2F 00 @.. `........./. 0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2............. 0040: 03 00 08 00 14 00 11 01 00 ......... main, WRITE: TLSv1 Handshake, length = 73 [write] MD5 and SHA1 hashes: len = 98 0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... ....... 0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2..... 0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 [EMAIL PROTECTED] 0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................ 0040: 00 11 40 AC D7 87 89 47 78 7D B3 6F 95 09 01 51 [EMAIL PROTECTED] 0050: 0C BC 00 3E 1B 32 C9 CF 23 B6 2C 8A 40 E1 9D 20 ...>.2..#.,[EMAIL PROTECTED] 0060: 60 C6 `. main, WRITE: SSLv2 client hello message, length = 98 main, READ: TLSv1 Handshake, length = 42 *** ServerHello, TLSv1 RandomCookie: GMT: 1068226183 bytes = { 104, 24, 192, 232, 236, 156, 203, 193, 105, 60, 123, 183, 81, 160, 244, 199, 22, 121, 3, 217, 184, 80, 0, 183, 108, 211, 115, 243 } Session ID: {} Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 Compression Method: 0 *** %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5] ** SSL_RSA_WITH_RC4_128_MD5 [read] MD5 and SHA1 hashes: len = 42 0000: 02 00 00 26 03 01 40 AC D7 87 68 18 C0 E8 EC 9C ...&[EMAIL PROTECTED] 0010: CB C1 69 3C 7B B7 51 A0 F4 C7 16 79 03 D9 B8 50 ..i<..Q....y...P 0020: 00 B7 6C D3 73 F3 00 00 04 00 ..l.s..... main, READ: TLSv1 Handshake, length = 797 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=www.epassporte.com, O=Epassporte N.V., L=Newbury, ST=Curacao, C=AN Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: SunJSSE RSA public key: public exponent: 010001 modulus: a01dad97 b5d03715 beda9db6 0b8fb265 21d7f65a e6d11dcb 461dad08 4f10a544 98187e4b f4a7ec2f c0fd3764 2d124ca3 46ba68a4 100cc15c 37451ccc dec60eb5 9f928a65 8f65830a 293ea62a 38f2e067 c58e06d1 a06c8b73 5d051ab9 3bc8caf5 66398fdd d67f3bb8 b6f33484 638ae75a 7634359c 2bfb49bc ff05f43b fc0eaccf Validity: [From: Mon Nov 10 16:28:06 EST 2003, To: Sat Nov 12 13:12:23 EST 2005] Issuer: [EMAIL PROTECTED], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA SerialNumber: [ 3d6e9e] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.thawte.com/ThawteServerCA.crl] ]] [2]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]] [3]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [MD5withRSA] Signature: 0000: 5A 24 E3 A6 AC 69 AC A4 73 60 3F 36 2B 04 6B 7C Z$...i..s`?6+.k. 0010: 18 B5 2C 33 55 F4 0E 17 89 CE 11 73 E6 E8 A7 F6 ..,3U......s.... 0020: E8 0F 07 AF 0D 36 1A B0 C2 47 8B C0 A3 8B 31 A3 .....6...G....1. 0030: E3 BA 60 31 9F F0 8C 77 44 B0 58 D8 7C 82 96 3C ..`1...wD.X....< 0040: C7 32 90 F8 0F 1C 39 4F E6 80 D9 4E 46 A3 AB BE .2....9O...NF... 0050: 91 4D F7 2D 2F E3 3F BF CF 02 58 44 EB 0A D6 A3 .M.-/.?...XD.... 0060: 50 F9 90 3C 9D EC 15 2C 5D 06 53 39 F9 4B DB 8C P..<...,].S9.K.. 0070: 14 1B 1C 03 BE EC 74 07 51 C9 20 27 AC AD 33 35 ......t.Q. '..35 ] *** main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA 6275) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(DashoA6275) at dollars.bo.ipsp.EPassporte.transferFunds(EPassporte.java:241) at dollars.bo.ipsp.EPassporte.main(EPassporte.java:484) Caused by: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.jav a:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:1 07) at sun.security.validator.Validator.validate(Validator.java:202) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6 275) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6 275) ... 11 more main, called close() main, called closeInternal(true) %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1068226183 bytes = { 199, 201, 67, 21, 217, 140, 115, 158, 182, 199, 240, 23, 139, 69, 121, 6, 6, 238, 41, 192, 105, 174, 78, 244, 21, 161, 16, 43 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } *** [write] MD5 and SHA1 hashes: len = 73 0000: 01 00 00 45 03 01 40 AC D7 87 C7 C9 43 15 D9 8C [EMAIL PROTECTED] 0010: 73 9E B6 C7 F0 17 8B 45 79 06 06 EE 29 C0 69 AE s......Ey...).i. 0020: 4E F4 15 A1 10 2B 00 00 1E 00 04 00 05 00 2F 00 N....+......../. 0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2............. 0040: 03 00 08 00 14 00 11 01 00 ......... main, WRITE: TLSv1 Handshake, length = 73 [write] MD5 and SHA1 hashes: len = 98 0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... ....... 0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2..... 0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 [EMAIL PROTECTED] 0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................ 0040: 00 11 40 AC D7 87 C7 C9 43 15 D9 8C 73 9E B6 C7 [EMAIL PROTECTED] 0050: F0 17 8B 45 79 06 06 EE 29 C0 69 AE 4E F4 15 A1 ...Ey...).i.N... 0060: 10 2B .+ main, WRITE: SSLv2 client hello message, length = 98 main, READ: TLSv1 Handshake, length = 42 *** ServerHello, TLSv1 RandomCookie: GMT: 1068226183 bytes = { 4, 8, 209, 90, 46, 96, 183, 116, 23, 71, 75, 37, 209, 209, 218, 51, 117, 190, 38, 205, 76, 201, 94, 122, 219, 16, 99, 20 } Session ID: {} Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 Compression Method: 0 *** %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5] ** SSL_RSA_WITH_RC4_128_MD5 [read] MD5 and SHA1 hashes: len = 42 0000: 02 00 00 26 03 01 40 AC D7 87 04 08 D1 5A 2E 60 ...&[EMAIL PROTECTED] 0010: B7 74 17 47 4B 25 D1 D1 DA 33 75 BE 26 CD 4C C9 .t.GK%...3u.&.L. 0020: 5E 7A DB 10 63 14 00 00 04 00 ^z..c..... main, READ: TLSv1 Handshake, length = 797 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=www.epassporte.com, O=Epassporte N.V., L=Newbury, ST=Curacao, C=AN Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: SunJSSE RSA public key: public exponent: 010001 modulus: a01dad97 b5d03715 beda9db6 0b8fb265 21d7f65a e6d11dcb 461dad08 4f10a544 98187e4b f4a7ec2f c0fd3764 2d124ca3 46ba68a4 100cc15c 37451ccc dec60eb5 9f928a65 8f65830a 293ea62a 38f2e067 c58e06d1 a06c8b73 5d051ab9 3bc8caf5 66398fdd d67f3bb8 b6f33484 638ae75a 7634359c 2bfb49bc ff05f43b fc0eaccf Validity: [From: Mon Nov 10 16:28:06 EST 2003, To: Sat Nov 12 13:12:23 EST 2005] Issuer: [EMAIL PROTECTED], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA SerialNumber: [ 3d6e9e] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.thawte.com/ThawteServerCA.crl] ]] [2]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]] [3]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [MD5withRSA] Signature: 0000: 5A 24 E3 A6 AC 69 AC A4 73 60 3F 36 2B 04 6B 7C Z$...i..s`?6+.k. 0010: 18 B5 2C 33 55 F4 0E 17 89 CE 11 73 E6 E8 A7 F6 ..,3U......s.... 0020: E8 0F 07 AF 0D 36 1A B0 C2 47 8B C0 A3 8B 31 A3 .....6...G....1. 0030: E3 BA 60 31 9F F0 8C 77 44 B0 58 D8 7C 82 96 3C ..`1...wD.X....< 0040: C7 32 90 F8 0F 1C 39 4F E6 80 D9 4E 46 A3 AB BE .2....9O...NF... 0050: 91 4D F7 2D 2F E3 3F BF CF 02 58 44 EB 0A D6 A3 .M.-/.?...XD.... 0060: 50 F9 90 3C 9D EC 15 2C 5D 06 53 39 F9 4B DB 8C P..<...,].S9.K.. 0070: 14 1B 1C 03 BE EC 74 07 51 C9 20 27 AC AD 33 35 ......t.Q. '..35 ] *** main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 main, called closeSocket() javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(D ashoA6275) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(D ashoA6275) at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection. java:299) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection .java:625) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275) at dollars.bo.ipsp.EPassporte.transferFunds(EPassporte.java:262) at dollars.bo.ipsp.EPassporte.main(EPassporte.java:484) Caused by: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.jav a:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:1 07) at sun.security.validator.Validator.validate(Validator.java:202) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6 275) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6 275) ... 14 more
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]