Ahoj, krome sun.security.ssl.allowUnsafeRenegotiation=true Zkus jeste sun.security.ssl.allowLegacyHelloMessages=true
podle http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html https://forums.oracle.com/forums/thread.jspa?threadID=2241443 by to mohlo zabrat, tedy pokud ta exception v debugu je exception kterou zminujou v uvedenem odkazu. Chtelo by to vedet, co pouzivaj za java update na druhe strane. -- Pavel Škop ----- PŮVODNÍ ZPRÁVA ----- Od: "Robert Novotny" <[email protected]> Komu: [email protected] Předmět: Re: Casove razitko s Postsignum Datum: 7.5.2012 - 15:13:37 > Pozdravujem, > aku mate verziu Javy? Moze to suvisiet s > > sun.security.ssl.allowUnsafeRenegotiation > > Ono sa to menilo v istej verzii, pretoze to bola > bezpecnostna chyba pri > znovunadvazovani session v SSL. Skuste pozriet > [1]. > > RN > > [1] > http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html > > <http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html> > > > > On 7. 5. 2012 14:34, Dusan Zatkovsky wrote: > > Dobry den ( ahoj ), > > > > stale nic. Presiel som na apache http > > komponenty, stale bez uspechu, > > > javax.net.ssl.SSLException: HelloRequest > > followed by an unexpected > > > handshake message. > > > > Truststorom to asi nebude, pretoze ten isty mnou > > vyrobeny jks ( narval > > > som tam vsetky postsignum certifikaty plus > > vyexportovane z browseru po > > > rucnom pokuse pripojit sa na tu url ) > > pouzivam pri autentifikacii cez login/password a > > tam to funguje, > > > > > > > Kod: > > > > private static String keyStoreFile = > > "/home/msk/work/misc/keys/private.pfx"; > > private static String trustStoreFile = > > "/home/msk/work/misc/keys/postsignum.jks"; > > private static String keyStorePassword = > > "BLABLA"; > > > private static String trustStorePassword > > = "123456"; > > > private static String ts_url = > > "https://www.postsignum.cz/DEMOTSA/TSS_crt/";; > > > > final HttpParams httpParams = new > > BasicHttpParams(); > > > > > // keystore. Povazujem zan subor > > "private.pfx" od postsignum, > > > co je zda sa pkcs12 kontainer > > KeyStore keystore = > > KeyStore.getInstance("pkcs12"); > > > InputStream keystoreInput = new > > FileInputStream(new > > > File(keyStoreFile)); > > keystore.load(keystoreInput, > > keyStorePassword.toCharArray()); > > > > > // truststore. Vyrobil som si sam a > > narval tam vsetky > > > postsignum certifikaty s ktorymi som prisiel do > > styku. > > > KeyStore truststore = > > KeyStore.getInstance("jks"); > > > InputStream truststoreInput = new > > FileInputStream(new > > > File(trustStoreFile)); > > truststore.load(truststoreInput, > > trustStorePassword.toCharArray()); > > > > final SchemeRegistry schemeRegistry = > > new SchemeRegistry(); > > > schemeRegistry.register(new > > Scheme("https", 443, new > > > SSLSocketFactory(keystore, keyStorePassword, > > truststore))); > > > > > final DefaultHttpClient c = new > > DefaultHttpClient(new > > > ThreadSafeClientConnManager(httpParams, > > schemeRegistry), httpParams); > > > > > HttpPost post = new HttpPost(ts_url); > > post.setParams(httpParams); > > > > HttpResponse x = c.execute(post); > > > > > > Skusil som zapnut debug, vid priloha. Vidim tam > > napr: > > > > > Found trusted certificate: > > [ > > [ > > Version: V3 > > Subject: SERIALNUMBER=S7464, > > CN=www.postsignum.cz, OU=PostSignum > > > Services, O="Česká pošta, s.p. [IČ 47114983]", > > C=CZ > > > > > > > alebo > > > > *** ServerHelloDone > > *** ClientKeyExchange, RSA PreMasterSecret, > > TLSv1 > > > ... > > *** Finished > > > > > > a potom > > > > %% Cached client session: [Session-1, > > SSL_RSA_WITH_RC4_128_MD5] > > > main, setSoTimeout(0) called > > main, WRITE: TLSv1 Application Data, length = > > 119 > > > main, READ: TLSv1 Handshake, length = 20 > > *** HelloRequest (empty) > > main, SEND TLSv1 ALERT: warning, description = > > no_negotiation > > > main, WRITE: TLSv1 Alert, length = 18 > > %% Invalidated: [Session-1, > > SSL_RSA_WITH_RC4_128_MD5] > > > > > > > Pravdupovediac, moc mudrejsi z toho nie som. > > Stale to na mna posobi, > > > ze druha strana usudila, ze sa so mnou bavit > > nebude a tu session > > > odstrihla. > > > > Podotykam, ze sa mi stale nepodarilo uspesne > > spojit ani priamo ich > > > aplikaciou. > > > > > > Diky. > > > > > > -- > > Dusan > > > > > >> Pro standardní HTTPS komunikaci s přihlášením > >> klientským certifikátem > >> >> musíte mít dvě úložiště klíčů - jedno pro > >> ověření certifikátu serveru > >> >> (trustore) a druhé pro privární klíč, kterým se > >> přihlašujete > >> >> (keystore). Bez trustore se lze obejít, pokud > >> si implementujete > >> >> "ověřování" certifikátu protistrany, které bude > >> věřit každému > >> >> certifikátu. > >> > >> Použití HttpsURLConnection bych se snažil > >> vyhnout, nedá se to > >> >> debugovat, jsou tam chyby, závislosti na > >> globálních proměnných... > >> >> > >> S pozdravem > >> > >> Filip Jirsák > >> > >> > >> Dne 3. května 2012 15:24 Dusan Zatkovsky > >> <[email protected] > >> >> <mailto:[email protected]>> napsal(a): > >> > >> Ahoj, > >> > >> postupil som dalej, ale o moc zas nie. > >> > >> private static SSLSocketFactory > >> getFactory() throws ...{ > >> >> > >> KeyManagerFactory keyManagerFactory > >> = > >> >> KeyManagerFactory.getInstance("SunX509"); > >> KeyStore keyStore = > >> KeyStore.getInstance("JKS"); > >> >> > >> InputStream keyInput = new > >> FileInputStream(new > >> >> File(clientJksFile)); > >> keyStore.load(keyInput, > >> clientJksPasswd.toCharArray()); > >> >> keyInput.close(); > >> > >> keyManagerFactory.init(keyStore, > >> clientJksPasswd.toCharArray()); > >> > >> SSLContext context = > >> SSLContext.getInstance("TLS"); > >> >> context.init(keyManagerFactory.getKeyManagers(), > >> >> > >> null, > >> >> new SecureRandom()); > >> > >> return context.getSocketFactory(); > >> } > >> > >> > >> void test() { > >> > >> //private static String ts_url = > >> "https://www.postsignum.cz/DEMOTSA/TSS_crt/"; > >> >> <https://www.postsignum.cz/DEMOTSA/TSS_crt/>; > >> >> private static String ts_url = > >> "https://tsa.postsignum.cz/TSS/HttpTspServer/"; > >> >> <https://tsa.postsignum.cz/TSS/HttpTspServer/>; > >> >> > >> ... > >> Security.addProvider(new > >> BouncyCastleProvider()); > >> >> > >> // tu mam certifikaty postsignum k > >> overeniu ssl cert path > >> >> System.setProperty("javax.net.ssl.trustStore", > >> >> > >> caJksFile); > >> >> > >> System.setProperty("javax.net.ssl.trustStorePassword", > >> >> > >> >> caJksPasswd); > >> > >> // generuj request > >> > >> TimeStampRequestGenerator reqGen = > >> new > >> >> TimeStampRequestGenerator(); > >> TimeStampRequest request = > >> reqGen.generate(TSPAlgorithms.SHA1, new > >> byte[20]); > >> >> byte[] reqData = > >> request.getEncoded(); > >> >> > >> // posli request > >> SSLSocketFactory sslfact = > >> getFactory(); > >> >> URL url = new URL(ts_url); > >> HttpsURLConnection c = > >> (HttpsURLConnection) > >> >> url.openConnection(); > >> c.setSSLSocketFactory(sslfact); > >> > >> c.setDoOutput(true); > >> c.setDoInput(true); > >> c.setRequestMethod("POST"); > >> c.setRequestProperty("Content-type", > >> >> "application/timestamp-query"); > >> c.setRequestProperty("Content-length", > >> >> String.valueOf(reqData.length)); > >> OutputStream out = > >> c.getOutputStream(); > >> >> out.write(reqData); > >> out.flush(); > >> > >> if (c.getResponseCode() != > >> HttpURLConnection.HTTP_OK) { > >> >> ... > >> > >> } > >> > >> V getResponseCode() koncim na > >> javax.net.ssl.SSLHandshakeException: > >> Received fatal alert: > >> >> handshake_failure. > >> > >> Vzhladom na to, ze som skusil aj > >> oficialneho TSA klienta od > >> >> PostSignum, ktory koncil s podobnou > >> vynimkou by mohol byt problem > >> >> zakopany prave v certifikate a skusim sa > >> vydat najprv touto cestou. > >> >> > >> V com mam trosku gulas ale je, ze v > >> aplikacii TSA sa pridava > >> >> privatny kluc ( s heslom ), kdezto na > >> autentikaciu sa pouzije > >> >> certifikat. Ale predpokladam, > >> ze ta aplikacia si certifikat vygeneruje z > >> privatneho kluca... > >> >> > >> > >> Diky > >> > >> -- > >> Dusan > >> > >> > >> > >>> Zdravím, > >>> přihlášení je standardní HTTPS přihlášení > >>> klientským > >>> >>> certifikátem, ne? Použijte třeba > >>> HttpClient z Apache > >>> >>> HttpComponents ( > >>> http://hc.apache.org/httpcomponents-client-ga/index.html > >>> ), > >>> >>> použití HTTPS je tam myslím někde v > >>> příkladech. > >>> >>> > >>> S pozdravem > >>> > >>> Filip Jirsák > >>> > >>> > >>> 2012/5/2 Dusan Zatkovsky > >>> <[email protected] > >>> >>> <mailto:[email protected]>> > >>> > >>> Ahoj, > >>> > >>> implementoval niekto z Vas casove > >>> razitko od postsignum s > >>> >>> prihlasenim certifikatom? > >>> > >>> Vygooglit sa mi nic zatial nepodarilo, > >>> v podstate som zatial > >>> >>> pripravil hash a odoslal na > >>> server, ale nemam doriesenu > >>> autentifikaciu. > >>> >>> > >>> Security.addProvider(new > >>> BouncyCastleProvider()); > >>> >>> TimeStampRequestGenerator > >>> reqGen = new > >>> >>> TimeStampRequestGenerator(); > >>> TimeStampRequest request = > >>> reqGen.generate(TSPAlgorithms.SHA1, > >>> new byte[20]); > >>> >>> byte[] reqData = > >>> request.getEncoded(); > >>> >>> > >>> String s_url = > >>> "https://www.postsignum.cz/DEMOTSA/TSS_crt/";; > >>> >>> URL url = new URL(s_url); > >>> > >>> HttpURLConnection c = > >>> (HttpURLConnection) > >>> >>> url.openConnection(); > >>> c.setDoOutput(true); > >>> c.setDoInput(true); > >>> c.setRequestMethod("POST"); > >>> c.setRequestProperty("Content-type", > >>> >>> "application/timestamp-query"); > >>> c.setRequestProperty("Content-length", > >>> >>> String.valueOf(reqData.length)); > >>> > >>> > >>> OutputStream out = > >>> c.getOutputStream(); > >>> >>> out.write(reqData); > >>> out.flush(); > >>> > >>> InputStream in = > >>> c.getInputStream(); > >>> >>> TimeStampResp resp = > >>> TimeStampResp.getInstance(new > >>> >>> ASN1InputStream(in).readObject()); > >>> TimeStampResponse response = > >>> new TimeStampResponse(resp); > >>> >>> response.validate(request); > >>> > >>> > >>> > >>> > >>> Diky > >>> > >>> -- > >>> Dusan > >>> > >>> > >> > >> > > > >
