IT WORKS, IT WORKS, IT WORKS.
this is the end of a two day nightmare putting in place ssl with jsse.
In my previous email attached here, everthing was fine ... exept that
keytool did not put the info where I wanted :
It put it in .keystore in my home directory :
mv .keystore $JAVA_HOME/lib/security/cacerts
There is an option in keytool to specify it at the command prompt :
-keystore cacerts ( jssecacerts)
keystore -list now matches keytool -list -keystore cacerts.
The second thing is that the file is password protected.
added the following code :
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.debug", "all");
/* System.setProperty("javax.net.ssl.keyStore","/tmp/keystore");
keystore is for use with a trus manager */
System.setProperty("javax.net.ssl.trustStorePassword","password");
/* X509TrustManager tm = new MyX509TrustManager();
KeyManager []km = null;
TrustManager []tma = {tm};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(km,tma,new java.security.SecureRandom());
//SSLSocketFactory sf1 = sc.getSocketFactory();
*/
URL url = new URL(strhost);
URLConnection uc = (URLConnection)url.openConnection();
More info at http://java.sun.com/products/jsse/CHANGES.txt
I've seen this problem posted since September 1999 without answer in the
sun java forums.
I will post here a troubleshooting script containing all the problems
I've been facing.
( problems to insert self trusted root certificates with keytool,
playing with certificate formats, writing servlet code, debugging with
s_client and
javax.net.debug.).
Thanks to the members of this mailing for this great mailing list.
Manu.
Hi everybody,
I hope it's the right place to post this question :
It's related to jsse, keytool and openssl : I cannot have a servlet
which ssl implementation is jsse work against an openssl server ( apache
+ mod_ssl )
I have a servlet ( client ) that opens a ssl connection to another
servlet ( server )
"ssl" client code :
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.debug", "all");
URL url = new URL(strhost);
URLConnection uc = (URLConnection)url.openConnection();
the server servlet is under an apache directive with mod_ssl enabled
and has no specific ssl java code : ssl connection is handled by
apache+mod_ssl
I generated my own cert CA Authority which signed my server certificate
request :
openssl genrsa -des -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
sign server.csr
restart apache
https://myurl : Ok : new certificate window prompt. I can install it in
a browser.
Now I try to access an url from my client servlet :
First setup jsse and default provider: ok
import ca certificate into cacert with keytool :
openssl x509 -in ca.crt -out ca.der -outform DER
keytool -import -trustcacerts -alias mycatest -file ca.der ( keytool
accept x509 certificates)
import server certificate : ( because with the ca certificate it did
not work )
openssl x509 -in servera.crt -out server.der -outform DER
keytool -import -trustcacerts -alias mycatest -file server.der
keytool -list shows the two certificates.
Connection with : openssl s_client -connect localhost:443 -state -debug
depth=1 /C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=Emmanuel
[EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
...
---
Certificate chain
0
s:[EMAIL PROTECTED]
i:[EMAIL PROTECTED]
1 s:/C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=nickaname
[EMAIL PROTECTED]
i:/C=FR/ST=france/L=paris/O=mycompany/OU=par/CN=nickaname
[EMAIL PROTECTED]
---
No client certificate CA names sent
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
SSL-Session:
Protocol : TLSv1
Cipher: EDH-RSA-DES-CBC3-SHA
Session-ID:
610AF250BF396265C16FC34774F5AD3C7392DBCFFDF3F0336D61F1CA2251917C
Session-ID-ctx:
Master-Key:
EB3C8F5C1E6B04DB527E0EBB802CA7C6224AC77944C9FC6C342D26C0970C3509FF28DB40837BA5AB368A7BDE3D402D0A
Key-Arg : None
Start Time: 966719686
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Connection with servlet / jsse :
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
** SSL_RSA_EXPORT_WITH_RC4_40_MD5
[read] MD5 and SHA1 hashes: len = 74
: 02 00 00 46 03 01 39 9E F7 B3 CB 72 72 38 19 65
...F..9rr8.e
0010: 92 AA D7