I am trying to connect to an LDAP server with SSL enabled. I dont want to use authentication hence i have overridden SSLSocketFactory to allow every site. I am getting following error:
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: **handshake_failure**
javax.naming.CommunicationException: slc00ahj.us.oracle.com:3131 Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.jndi.ldap.Connection.<init>(Connection.java:209)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1582)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2678)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at SumanLdapTest1.main(SumanLdapTest1.java:37)
SSL log is :
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(120) called
%% No cached client session
ClientHello, TLSv1
RandomCookie: GMT: 1357201614 bytes = { 70, 133, 164, 224, 89, 101, 204, 41, 107, 201, 176, 66, 93, 118, 139, 59, 50, 176, 84, 197, 238, 236, 187, 211, 158, 43, 159, 112 }
Session ID: {}
Cipher Suites: SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Compression Methods: { 0 }
***
**main, WRITE: TLSv1 Handshake, length = 75
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()**
**My source code:**
public class **SumanLdapTest1**{
public static void main(String args[]){
try{
//System.setProperty("ldaps.protocols", "TLSv1");
System.out.println("here");
DirContext ctx = null;
String host="slc00ahj.us.oracle.com";
String port="3131";
String userName="cn=orcladmin";
String password="welcome1";
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
//env.put(Context.PROVIDER_URL, "ldap://" + host + ":"+ port+ "/");
env.put(Context.SECURITY_PRINCIPAL, userName);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put("com.sun.jndi.ldap.connect.timeout", "120");
env.put(Context.PROVIDER_URL, "ldaps://" + host
+ ":" + port);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("java.naming.ldap.factory.socket","**SumanSSLFactory**");
ctx = new InitialDirContext(env);
}catch(Exception e){
e.printStackTrace();
}
}
}
public class SumanSSLFactory extends SSLSocketFactory {
private SSLSocketFactory factory = null;
private Exception exception = null;
public SumanSSLFactory() {
System.out.println("LdapSSLFactory initialization started...");
try {
this.factory = **getSSLSocketFactory**();
} catch (Exception ex) {
ex.printStackTrace();
System.out.println("LDAPSSLFactory Initialization error");
this.factory = null;
this.exception = ex;
}
System.out.println("LdapSSLFactory Initialization completed.");
}
public SSLSocket createSocket() throws IOException {
System.out.println("LdapSSLFactory.createSocket()");
if (this.factory == null)
throw new IOException();
SSLSocket st=null;
try{
(new Throwable()).printStackTrace();
st=(SSLSocket)this.factory.createSocket();
st.setEnabledProtocols( new String[] { "TLSv1", "SSLv3" } );
}catch(Exception e){
e.printStackTrace();
}
return st;
}
private SSLSocketFactory **getSSLSocketFactory**()
{
SSLSocketFactory sslSocketFactory = null;
System.out.println("Using Non Authenticated SSL Mechanism.");
try {
TrustManager[] tmA = { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] issuers = new X509Certificate[0];
return issuers;
//return null;
}
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
} };
// get the SSLContext and factory
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmA, null);
sslSocketFactory = ctx.getSocketFactory();
// System.setProperty("ldaps.protocols", "TLSv1");
System.out.println("SSOSocketUtil factory created sslSocketFactory"+sslSocketFactory);
} catch (Exception ex) {
ex.printStackTrace();
System.out.println("SSOSocketUtil factory exception");
}
return sslSocketFactory;
}
}
Any help on this will be appreciated
I would test without using your code for starters. For example, try to test an SSL operation of some kind using one of the LDAP Utils binaries (e.g: ldapsearch, ldapwhoami, etc). Make sure SSL/TLS works that way.
If it doesn't work, check your local system LDAP settings, and ALSO verify the certificate being used by the server is not expired and not self-signed (allowing self-signed certs is allowed, but requires further configuration).
Additionally, make sure the server is listening on your special port (3131?) via LDAPS and not LDAP. If regular LDAP is used for the listener, then SSL is not supported, but TLS (StartTLS) IS supported. Do note that LDAP SSL is technically deprecated in favor of TLS. If you have the ability to use TLS instead of SSL, you should.
Lastly on the server-side, make sure the RootDSE shows the OID for TLS/SSL support (1.3.6.1.4.1.1466.20037). If you do not see this, then SSL/TLS is not supported by the server (this is true at least for OpenLDAP).
If the command-line binary test works, then I would have to assume its either the code itself OR the system LDAP settings on the HOST from which the code runs. Or both.
I'm not skilled (at all) with JAVA, but I looked through your code anyway and didn't see anything obviously wrong. If there is direct problem with the code itself, I'm the wrong person to ask =)
If you cannot fix your code, if possible, try altering your code to NOT use SSL/TLS. At least you could ascertain that the intended functionality of your code works, just not the secure transport. That at least narrows it down significantly. Of course, if there are security concerns for this type of test, you might have to make special arrangements (e.g: use stunnel, or run the script locally on the LDAP server, etc).
I hope this helps...
Max
Related
I have set up an HTTPS server using grizzly 2.3.30 and jersey 2.25.1, which can be found here.
The server works well and I can curl to it with certificate-authority, certificate and key:
curl -v --cacert $CERTS/myCA.pem --key $CERTS/grizzly.key --cert $CERTS/grizzly.crt https://localhost:9999/hello
I want to intercept TLS/SSL requests, so I can log which ones fail like for example:
curl -v https://localhost:9999/hello
I am using Grizzly Http Server Framework with Jersey in this fashion:
public class MyGrizzlyServer {
public static void main(String[] args) throws Exception {
System.out.println("Hello main!");
String uriStr = "https://0.0.0.0:9999/";
URI uri = URI.create(uriStr);
final ResourceConfig rc = new ResourceConfig().packages("org");
HttpServer server = GrizzlyHttpServerFactory.createHttpServer(uri, rc, false);
SSLEngineConfigurator engineConfig = getSslEngineConfig();
for (NetworkListener listener : server.getListeners()) {
listener.setSecure(true);
listener.setSSLEngineConfig(engineConfig);
}
HttpHandler handler = server.getHttpHandler();
System.out.println("Http server start...");
server.start();
System.out.println("Hit enter to stop it...");
System.in.read();
server.shutdownNow();
}
private static SSLEngineConfigurator getSslEngineConfig() {
SSLContextConfigurator sslConfigurator = new SSLContextConfigurator();
sslConfigurator.setKeyStoreFile("./mycerts/grizzly.jks");
sslConfigurator.setKeyStorePass("awesome");
sslConfigurator.setTrustStoreFile("./mycerts/myCA.jks");
sslConfigurator.setTrustStorePass("mycapass");
sslConfigurator.setSecurityProtocol("TLS");
SSLContext context = sslConfigurator.createSSLContext(true);
SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(context);
sslEngineConfigurator.setNeedClientAuth(true);
sslEngineConfigurator.setClientMode(false);
return sslEngineConfigurator;
}
}
I have been reading Grizzly documentation to get familiarized with its internals.
Grizzly seems to pile filter chains for transport, ssl, http, etc.
I am experimenting with this, but haven't figured out how to achieve it yet.
Any hint will be appreciated.
After playing a bit with filter chains, I was able to remove default SSLBaseFilter and add a custom SSL Filter inherited from SSLBaseFilter.
That way I could captured exceptions thrown by failed TLS/SSL requests.
In MyGrizzlyServer server:
server.start();
NetworkListener listener = server.getListener("grizzly");
FilterChain filterChain = listener.getFilterChain();
int sslBaseFilterIndex = filterChain.indexOfType(SSLBaseFilter.class);
filterChain.remove(sslBaseFilterIndex);
MySslFilter sslFilter = new MySslFilter(sslEngineConfig);
filterChain.add(sslBaseFilterIndex, sslFilter);
With custom SSL filter:
public class MySslFilter extends SSLBaseFilter {
MySslFilter(SSLEngineConfigurator configurator) {
super(configurator);
}
#Override
public NextAction handleRead(FilterChainContext ctx) throws IOException {
NextAction nextAction = null;
try {
System.out.println(" *** MySslFilter handleRead ***" );
nextAction = super.handleRead(ctx);
} catch (IOException e) {
System.out.println(" *** MySslFilter Exception ***" );
e.printStackTrace();
}
return nextAction;
}
}
We have a small group of Tomcat servers running OpenJDK v1.7.0_111. We have plans to upgrade them and migrate them this summer but we've found that a client API we interact with is moving to require TLSv1.2 in the near term. My ultimate desire is to find a configuration change to allow for this.
The application hosted there creates it's SSL context in a pretty straight forward way:
SSLContext sslContext = SSLContexts.createDefault()
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext);
SSLContexts is from Apache's httpclient library (version 4.4.1) and is also pretty straight forward with how it creates the SSL context:
public static SSLContext createDefault() throws SSLInitializationException {
try {
SSLContext ex = SSLContext.getInstance("TLS");
ex.init((KeyManager[])null, (TrustManager[])null, (SecureRandom)null);
return ex;
} catch (NoSuchAlgorithmException var1) {
throw new SSLInitializationException(var1.getMessage(), var1);
} catch (KeyManagementException var2) {
throw new SSLInitializationException(var2.getMessage(), var2);
}
}
And digging through the SSLConnectionSocketFactory class, it appears that it's simply using the SSLSocket.getEnabledProtocols() method to determine which protocols are available for use. Note that this.supportedProtocols is null in my case.
public Socket createLayeredSocket(Socket socket, String target, int port, HttpContext context) throws IOException {
SSLSocket sslsock = (SSLSocket)this.socketfactory.createSocket(socket, target, port, true);
if(this.supportedProtocols != null) {
sslsock.setEnabledProtocols(this.supportedProtocols);
} else {
String[] allProtocols = sslsock.getEnabledProtocols();
ArrayList enabledProtocols = new ArrayList(allProtocols.length);
String[] arr$ = allProtocols;
int len$ = allProtocols.length;
for(int i$ = 0; i$ < len$; ++i$) {
String protocol = arr$[i$];
if(!protocol.startsWith("SSL")) {
enabledProtocols.add(protocol);
}
}
if(!enabledProtocols.isEmpty()) {
sslsock.setEnabledProtocols((String[])enabledProtocols.toArray(new String[enabledProtocols.size()]));
}
}
The problem I'm having is that while running a few preliminary tests I'm unable to get these clients to connect to an API requiring TLSv1.2.
In the following example I can get the URLConnection code to complete by including the -Dhttps.protocols=TLSv1.2 parameter, but I cannot get the Apache connection to connect.
public static void main(String[] args) throws Exception{
String testURL = "https://testapi.com";
SSLContext sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(null, null, null);
try {
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslcontext);
CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
HttpGet httpget = new HttpGet(testURL);
CloseableHttpResponse response = client.execute(httpget);
System.out.println("Response Code (Apache): " + response.getStatusLine().getStatusCode());
}
catch (Exception e){
System.err.println("Apache HTTP Client Failed");
e.printStackTrace();
}
try {
HttpsURLConnection urlConnection = (HttpsURLConnection) new URL(testURL).openConnection();
urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());
urlConnection.connect();
System.out.println("Response Code (URLConnection): " + urlConnection.getResponseCode());
}
catch (Exception e){
System.err.println("HttpsURLConnection Failed");
e.printStackTrace();
}
}
Along with the -Dhttps.protocols=TLSv1.2 I've tried the -Djdk.tls.client.protocols=TLSv1.2 and the -Ddeployment.security.TLSv1.2=true JVM parameters without any luck.
Does anyone have thoughts to how to enable TLSv1.2 in this configuration without upgrading to v8 or changing the application to specifically request an instance of TLSv1.2?
jdk.tls.client.protocols only works on Java 8 (and presumably 9) which you aren't using.
https.protocols only works by default in HttpsURLConnection which httpclient doesn't use.
deployment.* only applies to JNLP and applets (if any browser still permits applets) which you aren't using.
An answer to your Q as stated, at least for 4.5, assuming you use HttpClientBuilder or HttpClients (which you didn't say), is to use .useSystemProperties() or .createSystem(), respectively; these do use the same system properties as *URLConnection -- or at least many of them including https.protocols. You should check none of the other properties included in this set is configured to do something you don't want. This does require changing the apps, but not changing them 'to specifically request ... TLSv1.2'.
Other than that you can configure the SSLConnectionSocketFactory to specify the exact protocols allowed as in the Q linked by #pvg, or SSLContexts.custom().useProtocol(String).build() to specify the upper bound -- which is enough for your case because offering the range 'up to 1.2' to a server that requires 1.2 will select 1.2.
Here is the recommended way of configuring Apache HttpClient 4.x to use a specific TLS/SSL version
CloseableHttpClient client = HttpClientBuilder.create()
.setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContext.getDefault(), new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
.build();
Vote up to dave_thompson_085's answer
Scenario, I'm dealing with a Webserver that it is a mess (no I do not control this part, I have to play the game, this was coded by one of the biggest software vendors in the world)
By default, the webserver has 2 SSL services, each one of those might have a totally different SSL Certificate
Certificate A
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 1024
Subject: *.dummy.nodomain
Issuer: *.dummy.nodomain
Certificate B
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 2048
Subject: vhcalnplcs_NPL_01
Issuer: root_NPL
Following the examples of this page
public List<String> doPostWithSSL(String direction, String dataToSend, String contentType, boolean OverrideSecurityVerifications) {
try {
URL url = new URL(direction);
List<String> webcontent = new ArrayList();
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Host", getHostByUrl(direction));
conn = new UserAgentsLibrary().getRandomUserAgent(conn);
if (contentType != null) {
conn.setRequestProperty("Content-Type", contentType);
} else {
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
}
conn.setDoOutput(true);
if (OverrideSecurityVerifications) {
try {
TrustManager[] trustAllCerts;
trustAllCerts = new TrustManager[]{new X509TrustManager() {
#Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
#Override
public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
}
#Override
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
}
}};
// We want to override the SSL verifications
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, trustAllCerts, null);
SSLSocketFactory factory = ctx.getSocketFactory();
conn.setDefaultSSLSocketFactory(ctx.getSocketFactory());
HostnameVerifier allHostsValid = (String hostname1, SSLSession session) -> true;
conn.setDefaultHostnameVerifier(allHostsValid);
conn.setSSLSocketFactory(factory);
} catch (KeyManagementException kex) {
System.out.println("[+] Error bypassing SSL Security " + kex.getMessage());
} catch (NoSuchAlgorithmException nsex) {
System.out.println("[+] Error forgeting TLS " + nsex.getMessage());
}
}
OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(dataToSend);
wr.flush();
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while ((line = rd.readLine()) != null) { //todo+=line+"\n";
webcontent.add(line);
}
wr.close();
rd.close();
return webcontent;
} catch (MalformedURLException mex) {
System.out.println("[+] Error: I received a malformed URL");
return null;
} catch (SSLHandshakeException sslex) {
System.out.println("[+] Error: SSL Handshake Error!" + sslex.getMessage());
return null;
} catch (IOException ioex) {
System.out.println("[+] Error: Input/Output Error!" + ioex.getMessage());
return null;
}
}
I was able to make my program work with certificate B (no issue here) but I cannot make it to work with certificate A (I suspect that the * is causing me trouble)
Things to consider
This is a sample code, do not look for irrelevant details ;)
Yes, I know that this code is vulnerable to MITM attacks and the user is being warned
No, I do not want to add the certificates to my keystore!
I'm using pure J2EE code, I do not wish to use anything that it is not standard
I would like to find a solution that will work for Windows, Mac and Linux
Someone had to have this issue in the past, could you lend me a hand?
I was too tired yesterday.
Replaced conn.setDefaultHostnameVerifier(allHostsValid);
by conn.setHostnameVerifier(allHostsValid);
And now even the cert with the wildcard works!
I have installed the SSL/TLS certificate on the server following the instructions provided by Digicert on the below link. https://www.digicert.com/ssl-certificate-installation-java.htm
Also defined the TrustManager but still i am not able to establish the secure connection.
I am getting the connection failed error with reason "Error in connection establishment: net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Below is my code to add SSL support.
private static void addSSLSupport(DefaultIoFilterChainBuilder chain)
throws Exception {
try {
KeyStore keyStore=KeyStore.getInstance("JKS");
char[] passphrase= {'t','e','s','t','s','s','l'};
keyStore.load(new FileInputStream("/home/ec2-user/digicert/mydomain.jks"),passphrase);
Util.logInfo("Key Store loaded");
SSLContext ctx=SSLContext.getInstance("TLS");
TrustManagerFactory trustFactory=TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
X509TrustManager defaultTrustManager = (X509TrustManager) trustFactory.getTrustManagers()[0];
ctx.init(null, trustFactory.getTrustManagers(), null);
SslFilter sslFilter = new SslFilter(ctx);
chain.addLast("sslFilter", sslFilter);
Util.logInfo("SSL ON");
}catch(Exception e){
Util.logError(e.toString());
throw e;
}
}
I have got it worked using KeyManager instead of TrustManager while initializing the SSLContext.
Below is the code for your reference.
private static void addSSLSupport(DefaultIoFilterChainBuilder chain)
throws Exception {
try {
KeyStore keyStore=KeyStore.getInstance("JKS");
char[] passphrase= {'t','e','s','t','s','s','l'};
keyStore.load(new FileInputStream("/root/mydomain.jks"),passphrase);
Util.logInfo("Key Store loaded");
KeyManagerFactory kmf = KeyManagerFactory
.getInstance(KEY_MANAGER_FACTORY_ALGORITHM);
kmf.init(keyStore, passphrase);
SSLContext ctx=SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), null, null);
SslFilter sslFilter = new SslFilter(ctx);
chain.addLast("sslFilter", sslFilter);
Util.logInfo("SSL ON");
}catch(Exception e){
Util.logError(e.toString());
throw e;
}
}
Thinking I'd hit the same issue as other folks, I've been going through the numerous similar problems and potential solutions, but with no luck.
The trust store I'm using is cacerts, located in lib/security of a Java 1.6.0 JRE (build 1.6.0_20-b02... could this be the root of the problem?). I've also tried with jssecacerts.
Using InstallCert (per other similar issues posted), I can see my certificate is in fact installed and valid (and I've removed it, re-imported it, etc to make sure I'm seeing the right data):
java InstallCert <my host name>
Loading KeyStore jssecacerts...
Opening connection to <my host name>:443...
Starting SSL handshake...
No errors, certificate is already trusted
Checking in keytool and Portecle, re-importing the cert (I've tried generating from openssl with -showcert, exporting from browsers and scp'ing it over, etc) gives me "That already exists under this other alias over here" type of message. So there doesn't appear to be any issue with the way the cert is getting into the tool(s).
Forcing explicit trustStore paths in the code doesn't make any difference, and in all cases what I end up seeing when I turn on debugging (via a setProperty of javax.net.debug to "all") is:
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15
03 01 00 02 02 2E ....... main, called
closeSocket() main, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Unfortunately I can't allow overriding the check by implementing my own TrustManager - it has to actually check.
The certificate I get from the host has a number of extensions (9, to be exact), which makes me wonder if they're somehow part of this issue.
What else can I check/try? Change over to a different JRE version?
You can still check the certificate by implementing your own trust manager. I ran into a similar issue here. I also tried adding the certificate to cacerts but to no avail.
In your trust manager, you need to explicitly load up the certificates. Essentially what I had to do was something like this:
First I create a trust manager that uses the actual certificate files:
public class ValicertX509TrustManager implements X509TrustManager {
X509TrustManager pkixTrustManager;
ValicertX509TrustManager() throws Exception {
String valicertFile = "/certificates/ValicertRSAPublicRootCAv1.cer";
String commwebDRFile = "/certificates/DR_10570.migs.mastercard.com.au.crt";
String commwebPRODFile = "/certificates/PROD_10549.migs.mastercard.com.au.new.crt";
Certificate valicert = CertificateFactory.getInstance("X509").generateCertificate(this.getClass().getResourceAsStream(valicertFile));
Certificate commwebDR = CertificateFactory.getInstance("X509").generateCertificate(this.getClass().getResourceAsStream(commwebDRFile));
Certificate commwebPROD = CertificateFactory.getInstance("X509").generateCertificate(this.getClass().getResourceAsStream(commwebPRODFile));
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, "".toCharArray());
keyStore.setCertificateEntry("valicert", valicert);
keyStore.setCertificateEntry("commwebDR", commwebDR);
keyStore.setCertificateEntry("commwebPROD", commwebPROD);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
trustManagerFactory.init(keyStore);
TrustManager trustManagers[] = trustManagerFactory.getTrustManagers();
for(TrustManager trustManager : trustManagers) {
if(trustManager instanceof X509TrustManager) {
pkixTrustManager = (X509TrustManager) trustManager;
return;
}
}
throw new Exception("Couldn't initialize");
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
pkixTrustManager.checkServerTrusted(chain, authType);
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
pkixTrustManager.checkServerTrusted(chain, authType);
}
public X509Certificate[] getAcceptedIssuers() {
return pkixTrustManager.getAcceptedIssuers();
}
}
Now, using this trust manager, I had to create a socket factory:
public class ValicertSSLProtocolSocketFactory implements ProtocolSocketFactory {
private SSLContext sslContext = null;
public ValicertSSLProtocolSocketFactory() {
super();
}
private static SSLContext createValicertSSLContext() {
try {
ValicertX509TrustManager valicertX509TrustManager = new ValicertX509TrustManager();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new ValicertX509TrustManager[] { valicertX509TrustManager}, null);
return context;
}
catch(Exception e) {
Log.error(Log.Context.Net, e);
return null;
}
}
private SSLContext getSSLContext() {
if(this.sslContext == null) {
this.sslContext = createValicertSSLContext();
}
return this.sslContext;
}
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException {
return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
}
public Socket createSocket(final String host, final int port, final InetAddress localAddress, final int localPort, final HttpConnectionParams params) throws IOException {
if(params == null) {
throw new IllegalArgumentException("Parameters may not be null");
}
int timeout = params.getConnectionTimeout();
SocketFactory socketFactory = getSSLContext().getSocketFactory();
if(timeout == 0) {
return socketFactory.createSocket(host, port, localAddress, localPort);
}
else {
Socket socket = socketFactory.createSocket();
SocketAddress localAddr = new InetSocketAddress(localAddress, localPort);
SocketAddress remoteAddr = new InetSocketAddress(host, port);
socket.bind(localAddr);
socket.connect(remoteAddr, timeout);
return socket;
}
}
public Socket createSocket(String host, int port) throws IOException {
return getSSLContext().getSocketFactory().createSocket(host, port);
}
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
}
public boolean equals(Object obj) {
return ((obj != null) && obj.getClass().equals(ValicertSSLProtocolSocketFactory.class));
}
public int hashCode() {
return ValicertSSLProtocolSocketFactory.class.hashCode();
}
}
Then I just registered a new protocol:
Protocol.registerProtocol("vhttps", new Protocol("vhttps", new ValicertSSLProtocolSocketFactory(), 443));
PostMethod postMethod = new PostMethod(url);
for (Map.Entry<String, String> entry : params.entrySet()) {
postMethod.addParameter(entry.getKey(), StringUtils.Nz(entry.getValue()));
}
HttpClient client = new HttpClient();
int status = client.executeMethod(postMethod);
if (status == 200) {
StringBuilder resultBuffer = new StringBuilder();
resultBuffer.append(postMethod.getResponseBodyAsString());
return new HttpResponse(resultBuffer.toString(), "");
} else {
throw new IOException("Invalid response code: " + status);
}
The only disadvantage is that I had to create a specific protocol (vhttps) for this particular certificate.
The SSL debug trace will show which cacerts file you are using, as long as you don't manually load it yourself. Clearly you aren't using the one you think you are.
My guess is either of these things happened:
a) You run your code on a web server. They often use their own trust store - so are you really sure that it's cacerts that's being used when your code is executed?
b) By default, Java will try to check the validity of the certificates by downloading and interpreting CRLs. If you are behind a proxy, the download fails, and as a consequence the whole PKIX check would fail.