> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
> Sent: Friday, 29 May, 2009 20:29
> "certificate unknown" means that the Java side sent an alert
> to state that there's a problem with the certificate, but
> it's not going to tell you what it is. It probably it
> relates to the fact that the CA that you're using on your
> openssl server isn't in the Java trust store.
>
More precisely, in the Java trust store _being used_.
Java can support multiple trust (or key) stores if you want.
> (The most correct and appropriate alert in this case would be
> "unknown CA", but many implementations won't send the correct
> code due to security policies that the developers make on
> behalf of their API
> clients.)
>
> -Kyle H
>
> On Fri, May 29, 2009 at 7:12 AM, Vyncke, Frank
> <frank.vyn...@esko.com> wrote:
> > I don't know exactly what this error means, so it hard to
> check what I
> > am doing wrong. I presume I will have to setup some
> parameters on the
> > JAVA side (the only thing I do different now versus the plain http
> > setup is to change the URL to https).
> >
Meaning you use URL("https",...).openConnection -> HttpsURLConnection ?
(And don't set[Default]SSLSocketFactory?) That should use the (system)
default SSLSocketFactory, which under the standard configuration uses
a SSLContext which has a default (X.509/PKIX) TrustManager which uses
the store in <JRE>/lib/security/jssecacerts if present else cacerts
(and a null X.509 KeyManager, which is usually okay for web clients).
Your client should have gotten javax.net.ssl.SSLHandshakeException
referencing/caused by sun.security.validator.ValidatorException
and sun.security.provider.certpath.SunCertPathBuilderException .
You might check to see if this was reported, or why not.
> > Any body an idea, and/or info on the things I need to setup on the
> > JAVA side ? I am using JAVA JRE 1.6
> >
See JSSERefGuide in the docs package under 'security' for (very!)
full details. In brief, there are number of possibilities:
- add the CAcert(s) you want to use to the default truststore(s)
-- assuming you have access on the client machine(s) and this
doesn't interfere with (endanger?) any other Java app(s) there
- put the CAcert(s) you want to use in your own truststore
(per-app or per-user or whatever) and configure to use that
- get for your server and use a cert under a 'wellknown' CA
that is already in the distributed cacerts -- may cost money
- have your client(s) request/allow anonymous ciphersuite(s)
and your server use no certificate at all -- loses the benefit
of server authentication
- write your own TrustManager and/or CertPathValidator to do
whatever you want (get certs or other auth data from other
sources like LDAP or DNS or whatever, and accept or reject
the server based on other information than the certs or
fetched data such as hardcoding, manual choice, ...)
-- quite a bit more complicated
Note that HttpsURLConnection also verifies that the server
cert's name matches the desired (requested) URL.host.
I'm not sure of the exact (default) rules since I use the
lower-level SSL[Server]Socket which leaves this check to me.
According to the docs this can be overridden by writing
and setting your own HostnameVerifier .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
