IBM/Sun SSL Headaches

[Brian J. Sayatovic]

(I apologize for the earlier, aborted posting)

I've written a simple test program that just opens a reads from an SSL URL
to try and find the source of the problem I'm having conencting to a secure
site from within a WAS4-deployed application. I've run this test in two
different configurations:

1. WAS4 JRE (including IBM's JSSE) with the following pre-connection code:
// IBM's JSSE
Security.addProvider(new com.ibm.jsse.IBMJSSEProvider());
System.setProperty("java.protocol.handler.pkgs",
"com.ibm.net.ssl.internal.www.protocol");

2. Sun's JRE 1.3.1_06 (with Sun's JSSE 1.0.3) with the following
pre-connection code:
// Sun's JSSE
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");

To add to the uncertainty I'm having, I'm testing against two SSL sites.
The first, A, has a known-good Verisgn-rooted SSL certificate. The other's,
B, certificate appears to be Verisign-rooted, but I'm not certain. Both
sites appear in Internet Explorer without any special warnings.

When I use the WAS4 JRE configuration (1) against the known-good site (A), I
get an SSLHandshakeException with the description "bad certificate". If I
hit the same site using the Sun JRE ocnfiguration (2), it successfulyl
connects to the site.

I've not even gone on to testing the second site (B) since I can't even get
the known-good site (A) to wotk with the WAS4 JRE (1) configuration. It is
necessary to get that configuration working as that is the production
configuration.

Can anyone help?

Regards,
Brian

 

[Sudsy]

(I apologize for the earlier, aborted posting)

I've written a simple test program that just opens a reads from an SSL URL
to try and find the source of the problem I'm having conencting to a secure
site from within a WAS4-deployed application. I've run this test in two
different configurations:

1. WAS4 JRE (including IBM's JSSE) with the following pre-connection code:
// IBM's JSSE
Security.addProvider(new com.ibm.jsse.IBMJSSEProvider());
System.setProperty("java.protocol.handler.pkgs",
"com.ibm.net.ssl.internal.www.protocol");

I have successfully connected to SSL sites (Internet payment processors)
using the following configuration:

In my $JAVA_HOME/jre/lib/security/java.security:

security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.JSSEProvider

In my daemon code:

System.setProperty( "java.protocol.handler.pkgs",
"com.ibm.net.ssl.internal.www.protocol" );

Only difference is that I didn't use the Security.addProvider.

 

[Brian J. Sayatovic]

Thank you for the reply, Sudsy.

I've since investiagted further and found that the third-party site
I'm havign trouble with appears to only be sending it's cert, not it's
whole cert-chain. Thus, JSSE can't verify that the server is who it
says it is since I don't trust it directly and have no information
about how to trust who signed it.

Other sites that do work send a whole cert-chain and thus, can be
verified.

I'm investigating now, though, why IE can handle this site fine as a
browser, but Java code with JSSE can't.

Regards,
Brian.

 

[Sudsy]

Thank you for the reply, Sudsy.

I've since investiagted further and found that the third-party site
I'm havign trouble with appears to only be sending it's cert, not it's
whole cert-chain. Thus, JSSE can't verify that the server is who it
says it is since I don't trust it directly and have no information
about how to trust who signed it.

Other sites that do work send a whole cert-chain and thus, can be
verified.

I'm investigating now, though, why IE can handle this site fine as a
browser, but Java code with JSSE can't.

Regards,
Brian.

It could have been that you accepted the credentials when you were
viewing the page in the browser (probably a while back).
I don't know how to do it in IE but in Netscape 7.1 I go
Edit->Preferences, expand Privacy & Security, select Certificates,
click on Manage Certificates button then click on the Web Sites
tab.
If the software "doesn't know how to get there from here" (i.e. if
the certificate chain doesn't lead back to a trusted CA) then it's
not really a bug.
Glad to hear that you've at least been able to connect to the
first site you mentioned.