Solution - Verisign expired root CA and "No trusted certificate found" using JSSE

Discussion in 'Java' started by Neill, Jul 29, 2005.

  1. Neill

    Neill Guest

    Not sure where to start with this one, my frustration over not being able to
    find ANY documentation regarding a relatively common problem, the process I
    followed to find the solution, or just post the solution. Either way, it's
    aggravating to the extreme to bump up against the divide between the
    programming elite, and ordinary programmers like myself, only to find the
    barrier to the information to be nothing less than kindergarten antics,
    corporate indifference, or just plain laziness on the part of those who have
    gone before, not to blaze the trail.

    Problem - when attempting to establish a client SSLSocket connection to a
    server, "javax.net.ssl.SSLHandshakeException:
    sun.security.validator.ValidatorException: No trusted certificate found" is
    thrown.

    The solution was a bit elusive. Posts to newsgroups and other forums dealt
    with accepting self-signed certificates and involved using the keytool to
    import the server public key, but I was only trying to establish a
    connection to a server. The cacerts file existed in the /jre/lib/security
    directory, and I tried setting a number of System properties with no results
    until using System.setProperty ("javax.net.debug", "all"); which lead me to
    believe the problem may be in the cacerts file. The keytool threw an
    exception using -printcerts, so I was able to use iKeyman in the WebSphere
    distribution to view the certificates in the file. I was able to determine
    the Verisign root CA was expired, and stumbled on to the new root CA on the
    Verisign site at https://getca.verisign.com/update.html. Click on accept,
    save the .cer file, and import it into "cacerts" using keytool. I used
    iKeyman and deleted the expired certificates. This solved the immediate
    problem, and I am able to get back on track working on the shopping cart
    application I've been working on off and on.

    Of course, if you're not a masochist, you can simply d/l the latest JDK from
    Sun, which addresses the issue since JDK 1.4.2_03 (I'm using 1.4.2-b28, note
    to self: d/l latest version.) as described in the support document on Sun's
    website at http://www.java.com/en/download/help/cacerts.xml.

    It's surprising to me that the support doc isn't better catalogued so that
    someone may actually find it. I suppose I could be thankful, because it
    allowed me the opportunity to learn something on my own. I think that's a
    red herring, however, because there are a handful of posts out there,
    including mine, which went by unnoticed by the elite or lazy, too busy
    chasing their own herring to respond, I suppose.

    TODO: add rate this article feature to blog site

    Posted online at
    http://www.laneyconsulting.com/web/blog.nsf/plinks/NLAY-6ER9CF


    --

    Neill Laney
    http://www.laneyconsulting.com
    Neill, Jul 29, 2005
    #1
    1. Advertising

  2. Neill

    Steve Sobol Guest

    Re: Solution - Verisign expired root CA and "No trusted certificatefound" using JSSE

    Neill wrote:
    > Not sure where to start with this one, my frustration over not being able to
    > find ANY documentation regarding a relatively common problem, the process I
    > followed to find the solution, or just post the solution.


    Neill,

    As an alternative solution, I have a class which loads a keystore from a
    URL. I used it for a program that speaks XMLRPC to an SSL website that has a
    not-widely-recognized SSL certificate, which otherwise would cause JSSE to
    refuse to connect to the site. If you want me to, or if anyone else is
    interested, I'll post the code on my blog. It's pretty simple.


    --
    Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED
    Company website: http://JustThe.net/
    Personal blog, resume, portfolio: http://SteveSobol.com/
    E: Snail: 22674 Motnocab Road, Apple Valley, CA 92307
    Steve Sobol, Jul 29, 2005
    #2
    1. Advertising

  3. Neill

    Neill Guest

    "Steve Sobol" <> wrote in message
    news:dcdll8$7gf$...
    > Neill wrote:
    > > Not sure where to start with this one, my frustration over not being

    able to
    > > find ANY documentation regarding a relatively common problem, the

    process I
    > > followed to find the solution, or just post the solution.

    >
    > Neill,
    >
    > As an alternative solution, I have a class which loads a keystore from a
    > URL. I used it for a program that speaks XMLRPC to an SSL website that has

    a
    > not-widely-recognized SSL certificate, which otherwise would cause JSSE to
    > refuse to connect to the site. If you want me to, or if anyone else is
    > interested, I'll post the code on my blog. It's pretty simple.


    Thanks for the response. For posterity, here's my code to establish an SSL
    connection. If you want to reply with your keystore class for completeness,
    please do.

    BTW, the following is standard stuff, and can be found in any number of
    posts by others -

    SSLSocket sslSocket = null;
    String hostName = "www.myhost.com";
    try {
    /*
    * Before any application data is sent or received, the
    * SSL socket will do SSL handshaking first to set up
    * the security attributes.
    *
    * SSL handshaking can be initiated by either flushing data
    * down the pipe, or by starting the handshaking by hand.
    *
    * Handshaking is started manually in this example because
    * PrintWriter catches all IOExceptions (including
    * SSLExceptions), sets an internal error flag, and then
    * returns without rethrowing the exception.
    *
    * Unfortunately, this means any error messages are lost,
    * which caused lots of confusion for others using this
    * code. The only way to tell there was an error is to call
    * PrintWriter.checkError().
    */
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    SSLSocketFactory sslFactory = (SSLSocketFactory)
    SSLSocketFactory.getDefault();
    sslSocket = (SSLSocket) sslFactory.createSocket(hostName, 443);
    System.out.print(hostName + ": starting handshake ... ");
    sslSocket.startHandshake();
    System.out.println("completed");
    //do something here
    } catch (Exception e) {
    System.out.println(e.getMessage());
    } finally {
    if (sslSocket != null)
    sslSocket.close();
    }

    Once the socket connection has been established, a request/response can be
    posted/read, then close the socket -

    PrintWriter out =
    new PrintWriter(
    new BufferedWriter(
    new OutputStreamWriter(sslSocket.getOutputStream())));
    /*
    * write to out
    */
    outToStream("some string");
    out.flush();
    /*
    * Make sure there were no surprises
    */
    if (out.checkError())
    System.out.println(
    "SSLSocketClient: java.io.PrintWriter error");

    /* read response */
    BufferedReader in =
    new BufferedReader(
    new InputStreamReader(sslSocket.getInputStream()));

    StringBuffer buffer = new StringBuffer("");
    String inputLine;
    while ((inputLine = in.readLine()) != null) {
    buffer.append(inputLine);
    }
    in.close();
    out.close();


    --

    Neill Laney
    http://www.laneyconsulting.com


    >
    > --
    > Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED
    > Company website: http://JustThe.net/
    > Personal blog, resume, portfolio: http://SteveSobol.com/
    > E: Snail: 22674 Motnocab Road, Apple Valley, CA 92307
    Neill, Jul 29, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Boris Gruschko
    Replies:
    11
    Views:
    849
    Andrew Thompson
    Jan 10, 2004
  2. Alex Hunsley

    No trusted certificate found (https)

    Alex Hunsley, Jan 28, 2004, in forum: Java
    Replies:
    7
    Views:
    21,793
    xulrmb
    Apr 8, 2008
  3. Joona I Palaste
    Replies:
    0
    Views:
    6,405
    Joona I Palaste
    Aug 16, 2004
  4. Neill
    Replies:
    0
    Views:
    2,303
    Neill
    Jun 7, 2005
  5. Neill
    Replies:
    0
    Views:
    1,174
    Neill
    Jun 7, 2005
Loading...

Share This Page