[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL Problems

To: Brian Lee <brian_a_lee@hotmail.com>, cfowler@outpostsentinel.com, Jefferson.Silva@eldorado.org.br
Subject: Re: SSL Problems
From: James Picklesimer <ilogicdot@yahoo.com>
Date: Tue, 4 Feb 2003 09:21:09 -0800 (PST)
Cc: ajug-members@ajug.org
In-Reply-To: <F28oe2U8QVjp3b6uIU100009754@hotmail.com>

Been there solved that issue.

What I did........
1) I built a standalone JAVA app that needed to call
HTTPS
2) I was able to distrbute my own custpom JRE with the
app using InstallAnywhere
3) Using openssl on Linux 7.2 I generated a CSR
4) using a tool called sign.sh I generated a cert
5) I imported that cert into a custom JAVA keystore
6) I went into my custom JRE under */jre/lib/security
and replaced the cacert file with my above custom
keystore keeping the same name of the file as cacert.

The client then knows all about my home grown cert and
does not throw the 
> > > javax.net.ssl.SSLHandshakeException:
> > > java.security.cert.CertificateException:
> Couldn't find trusted
> > > certificate

exception.
I also chose to use DSA so browsers cannot hit my
HTTPS server which is Jetty 3.8 and try to access my
JSP / Servlet / JDBC pages talking to an Oracle DB on
my internal LAN.

This was what I did and in this case I don't know your
limits and specs.
+James P.
 
--- Brian Lee <brian_a_lee@hotmail.com> wrote:
> You have to import the certificate authority (ca)
> cert that signed the 
> current ssl session's cert to your trusted certs
> directory.
> 
> I believe you can do this by modifying the
> jre/lib/security/cacerts file 
> with your ca cert. You can use sun's keytool for
> this.
>
http://java.sun.com/docs/books/tutorial/security1.2/summary/tools.html
> 
> In order to create your own certificate you must
> create a certificate 
> authority cert that you use to sign your custom
> certs. I always used 
> Microsoft's Certificate Server from the NT4 Option
> Pack, but there's tons of 
> other certs softwares out there.
> 
> The idea behind the certificate authority is that
> they are supposed to 
> verify that you own the domain the certificate is
> assigned to. This prevents 
> bad hackers from pretending to be your domain with
> their own certificate. 
> The reality is that VeriSign costs anywhere from
> $400 up for one cert and 
> sometimes you just need encryption on your own apps
> or for your own 
> application (a la hushmail).
> 
> BAL
> 
> >From: cfowler <cfowler@outpostsentinel.com>
> >To: Jefferson Silva
> <Jefferson.Silva@eldorado.org.br>
> >CC: ajug-members@ajug.org
> >Subject: Re: SSL Problems
> >Date: 03 Feb 2003 11:28:58 -0500
> >
> >I'll forward this to the list for more reponses.
> >
> >A while back I did get a response and sample code. 
> But that code
> >overrode deprecated methods.  And that did not
> work.
> >
> >
> >
> >On Mon, 2003-02-03 at 11:13, Jefferson Silva wrote:
> > > Hi,
> > >
> > > I'm trying to create a client to access my
> server, and I got the same
> > > problem
> > > you got some time. I saw your post to the forum.
> Have you got a solution
> > > for your problem ? If so, could you help me ?
> > >
> > > I'm trying to do almost the same you've tried.
> > >
> > > Thanks a lot
> > > Regards,
> > > Jefferson
> > >
> > >
> > > SSL Refusal
> > >
> > > *	To: ajug-members@ajug.org
> <mailto:ajug-members@ajug.org>
> > > *	Subject: SSL Refusal
> > > *	From: "Christopher Fowler"
> <cfowler@outpostsentinel.com
> > > <mailto:cfowler@outpostsentinel.com>>
> > > *	Date: Tue, 08 Oct 2002 17:47:46 -0400
> > > *	Reply-To: cfowler@outpostsentinel.com
> > > <mailto:cfowler@outpostsentinel.com>
> > >
> > > I use https on my server but do not have a
> trusted certificate.  I use
> > > it strictly for the encryption capabilites.  Do
> I need to enable a
> > > switch in the URL connection to be able to get
> past this error:
> > >
> > >
> > > javax.net.ssl.SSLHandshakeException:
> > > java.security.cert.CertificateException:
> Couldn't find trusted
> > > certificate
> > >         at
>
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
> > >         at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > >         at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > >         at
>
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> > >         at
>
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> > >         at com.sun.net.ssl.int
> > >
> > >
> 
> 
>
_________________________________________________________________
> The new MSN 8: smart spam protection and 2 months
> FREE*  
> http://join.msn.com/?page=features/junkmail
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

References:
- Re: SSL Problems
  - From: "Brian Lee" <brian_a_lee@hotmail.com>

Prev by Date: RE: Trying to use Ant and CVS for clean build
Next by Date: Weblogic and servlets 2.3
Prev by thread: Re: SSL Problems
Next by thread: J2EE Study Group
Index(es):
- Date
- Thread