[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SSL Problems

To: <ajug-members@ajug.org>
Subject: RE: SSL Problems
From: "Ty Connell" <tconnell@tda-i.com>
Date: Mon, 3 Feb 2003 12:24:20 -0500
Importance: Normal
In-Reply-To: <1044291146.14385.52.camel@cfowler.outpostsentinel.com>

So perhaps I need to clarify.

A fake certificate is not signed.  It is simply one you generate (and
which is also free vs. > $1000).  It is valid in the sense that the API
knows what to do with it, it is fake in the sense that the world at
large should not trust it.

If your desire is to skip certificate verification altogether, it's most
likely the case you will need to implement one or more of the interfaces
provided in the SSL implementation, and let the runtime engine know that
you want to use those first via the java.security file.  The interface I
remember is Provider, although TrustManager may have something to do
with it as well.  Thus the "not easy, or even desirable" part.  Since
certificate verification is an integral part of SSL, it may be tricky
finding an implementation that turns this off.

I apologize for the weak references, merely trying to point people in
the right direction.  YMMV.



-----Original Message-----
From: cfowler [mailto:cfowler@outpostsentinel.com] 
Sent: Monday, February 03, 2003 11:52 AM
To: ajug-members@ajug.org
Subject: RE: SSL Problems

Some people have legitimate reasons to not sign their certs.
In some cases the network the app is running on is private but still
requires encryption and not certificate verification.  In my case I
could care less if the remote had a cert or not I just want 128bit
encryption of my data.




On Mon, 2003-02-03 at 11:47, Ty Connell wrote:
> >From what I remember...
> 
> I don't think it's easy, or even desirable to get around this error.
> Understand that the following is posted from the cobwebs of several
> years ago.
> 
> It should be possible to generate a "fake" certificate and use that
> instead.  Typically, a real certificate is generated by someone like
> VeriSign, and the certificate is digitally signed by them.  Since they
> are a root Certifying Authority, the certificate is trusted as being
> valid as long as it is associated with the correct URL.  
> 
> I forget how to generate the fake one exactly, but I would check the
> keystore documentation that comes with the jdk, and if that fails go
to
> the ssl api doc.  Once the certificate is generated by you, I *think*
> you just need to import it into the keystore.  At that point, you have
> certified that you trust it, and it should get used.  
> 
> Be careful that you import it into the right keystore.  I seem to
> remember that there are more than one of them lying around in the
> install(s), and I was never fully sure which one was used.
> 
> Hope this is of some use.
> 
> -ty
> 
> -----Original Message-----
> From: cfowler [mailto:cfowler@outpostsentinel.com] 
> Sent: Monday, February 03, 2003 11:29 AM
> To: Jefferson Silva
> Cc: ajug-members@ajug.org
> Subject: Re: SSL Problems
> 
> I'll forward this to the list for more reponses.
> 
> A while back I did get a response and sample code.  But that code
> overrode deprecated methods.  And that did not work.
> 
> 
> 
> On Mon, 2003-02-03 at 11:13, Jefferson Silva wrote:
> > Hi, 
> > 
> > I'm trying to create a client to access my server, and I got the
same
> > problem
> > you got some time. I saw your post to the forum. Have you got a
> solution
> > for your problem ? If so, could you help me ?
> > 
> > I'm trying to do almost the same you've tried.
> > 
> > Thanks a lot
> > Regards,
> > Jefferson
> > 
> > 
> > SSL Refusal
> > 
> > *	To: ajug-members@ajug.org <mailto:ajug-members@ajug.org> 
> > *	Subject: SSL Refusal 
> > *	From: "Christopher Fowler" <cfowler@outpostsentinel.com
> > <mailto:cfowler@outpostsentinel.com>> 
> > *	Date: Tue, 08 Oct 2002 17:47:46 -0400 
> > *	Reply-To: cfowler@outpostsentinel.com
> > <mailto:cfowler@outpostsentinel.com> 
> > 
> > I use https on my server but do not have a trusted certificate.  I
use
> 
> > it strictly for the encryption capabilites.  Do I need to enable a 
> > switch in the URL connection to be able to get past this error:
> > 
> > 
> > javax.net.ssl.SSLHandshakeException: 
> > java.security.cert.CertificateException: Couldn't find trusted 
> > certificate
> >         at
> com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
> >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> >         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> >         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> >         at com.sun.net.ssl.int
> > 
> > 
> 
> 
>

References:
- RE: SSL Problems
  - From: cfowler <cfowler@outpostsentinel.com>

Prev by Date: RE: SSL Problems
Next by Date: Re: SSL Problems
Prev by thread: RE: SSL Problems
Next by thread: Re: SSL Problems
Index(es):
- Date
- Thread