How to accept the Untrusted cert?

J

Jakekeke

Dear All,

I use JSSE to implement a proxy server which support http/https.
However, I find my code can't support some secure site which provide a
certificate which doesn't signed by CA.

and here is the error message:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
at Proxy.SSLNegotiation.startNegotiation(SSLNegotiation.java:101)
at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:383)
at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
at Proxy.ProxyProcess.run(ProxyProcess.java:107)
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
... 10 more
java.net.SocketException: Socket is closed
at java.net.Socket.setSoTimeout(Socket.java:920)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA12275)
at Proxy.HttpResp.<init>(HttpResp.java:53)
at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:385)
at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
at Proxy.ProxyProcess.run(ProxyProcess.java:107)

what should i do to accept the self-sign certificate?

Thank,
Jake


Here is my code.


package Proxy;
import java.io.IOException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

public class SSLNegotiation {
private Socket socket = null;
private String host = null;
private int port;
private String keyStore = null;
private char keyStorePass[] = null;
private char keyPassword[] = null;
private String sslContextInst = null;
private String keyStoreInst = null;
private String keyManagerFactoryInst = null;
private String trustManagerFactoryInst = null;

public SSLNegotiation(Socket socket) {
this.socket = socket;
host = socket.getInetAddress().getHostName();
port = socket.getPort();
}

public SSLNegotiation(String host, int port) {
this.host = host;
this.port = port;
}

public SSLNegotiation(Socket socket, String host, int port) {
this.socket = socket;
this.host = host;
this.port = port;
}

public void importKeyStore(String ks, String ksp) {
importKeyStore(ks, ksp, ksp);
}

public void importKeyStore(String ks, String ksp, String kp) {
keyStore = ks;
keyStorePass = ksp.toCharArray();
keyPassword = kp.toCharArray();
}

public void setInstance(String content, String ks, String kmf, String
tmf) {
sslContextInst = content;
keyStoreInst = ks;
keyManagerFactoryInst = kmf;
trustManagerFactoryInst = tmf;
}

public Socket startNegotiation(boolean connectServer) {
KeyStore ks = null;
KeyManagerFactory kmf = null;
SSLContext sslContext = null;
SSLSocket sslSocket = null;

try {
ks = KeyStore.getInstance(keyStoreInst);
ks.load(this.getClass().getResourceAsStream(keyStore),
keyStorePass);
kmf = KeyManagerFactory.getInstance(keyManagerFactoryInst);
kmf.init(ks, keyPassword);
sslContext = SSLContext.getInstance(sslContextInst);
if (trustManagerFactoryInst == null)
sslContext.init(kmf.getKeyManagers(), null, null);
else {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(trustManagerFactoryInst);
tmf.init(ks);
sslContext.init(kmf.getKeyManagers(),
tmf.getTrustManagers(),
new java.security.SecureRandom());
}

SSLSocketFactory factory = sslContext.getSocketFactory();

if (socket != null)
sslSocket = (SSLSocket) factory.createSocket(socket, host, port,
false);
else
sslSocket = (SSLSocket) factory.createSocket(host, port);

sslSocket.setUseClientMode(connectServer);
sslSocket.setEnabledCipherSuites(sslSocket.getSupportedCipherSuites());
if (connectServer)
sslSocket.startHandshake();

} catch (UnknownHostException uhe) {
uhe.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
} finally {
return sslSocket;
}
}
}
 
R

Rogan Dawes

Jakekeke said:
Dear All,

I use JSSE to implement a proxy server which support http/https.
However, I find my code can't support some secure site which provide a
certificate which doesn't signed by CA.
what should i do to accept the self-sign certificate?

Thank,
Jake

Hi Jake,

Because you are basically duplicating what I did in WebScarab, I suggest
that you check the source code for URLFetcher.java in the WebScarab
source code (on Sourceforge). I think you have looked at it before . . .

But to save you some time, here are the relevant snippets below.

Regards,

Rogan

// Create a trust manager that does not validate certificate chains
private static TrustManager[] _trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void
checkClientTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
}
public void
checkServerTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
}
}
};


private static void initSSLSocketFactory(KeyManager[] managers) {
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(managers, _trustAllCerts, new
java.security.SecureRandom());
_factory = (SSLSocketFactory)sc.getSocketFactory();
} catch (NoSuchAlgorithmException nsae) {
_logger.severe("NoSuchAlgorithmException setting up SSL
support: " + nsae);
_factory = null;
} catch (KeyManagementException kme) {
_logger.severe("KeyManagementException setting up SSL
support: " + kme);
_factory = null;
}
}
 
J

Jon Caldwell

Rogan said:
Jakekeke said:
Dear All,

I use JSSE to implement a proxy server which support http/https.
However, I find my code can't support some secure site which provide a
certificate which doesn't signed by CA.
what should i do to accept the self-sign certificate?

Thank,
Jake


Hi Jake,

Because you are basically duplicating what I did in WebScarab, I suggest
that you check the source code for URLFetcher.java in the WebScarab
source code (on Sourceforge). I think you have looked at it before . . .

But to save you some time, here are the relevant snippets below.

Regards,

Rogan

// Create a trust manager that does not validate certificate chains
private static TrustManager[] _trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void
checkClientTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
}
public void
checkServerTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
}
}
};


private static void initSSLSocketFactory(KeyManager[] managers) {
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(managers, _trustAllCerts, new
java.security.SecureRandom());
_factory = (SSLSocketFactory)sc.getSocketFactory();
} catch (NoSuchAlgorithmException nsae) {
_logger.severe("NoSuchAlgorithmException setting up SSL
support: " + nsae);
_factory = null;
} catch (KeyManagementException kme) {
_logger.severe("KeyManagementException setting up SSL
support: " + kme);
_factory = null;
}
}
There is an example at this page, as well:
http://jcaldwel.blogspot.com/2005/01/custom-x509trustmanager-java-to-trust.html
 
S

Sebastian Hentschel

Create a keystore which contains the public key of the Server and
try to set the following property.
System.setProperty("javax.net.ssl.trustStore", keystoreLocation);

Dear All,

I use JSSE to implement a proxy server which support http/https.
However, I find my code can't support some secure site which provide a
certificate which doesn't signed by CA.

and here is the error message:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
at Proxy.SSLNegotiation.startNegotiation(SSLNegotiation.java:101)
at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:383)
at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
at Proxy.ProxyProcess.run(ProxyProcess.java:107)
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
... 10 more
java.net.SocketException: Socket is closed
at java.net.Socket.setSoTimeout(Socket.java:920)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA12275)
at Proxy.HttpResp.<init>(HttpResp.java:53)
at Proxy.SSLProxyProcess.makeNegotiation(SSLProxyProcess.java:385)
at Proxy.SSLProxyProcess.run(SSLProxyProcess.java:83)
at Proxy.ProxyProcess.run(ProxyProcess.java:107)

what should i do to accept the self-sign certificate?

Thank,
Jake


Here is my code.


package Proxy;
import java.io.IOException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

public class SSLNegotiation {
private Socket socket = null;
private String host = null;
private int port;
private String keyStore = null;
private char keyStorePass[] = null;
private char keyPassword[] = null;
private String sslContextInst = null;
private String keyStoreInst = null;
private String keyManagerFactoryInst = null;
private String trustManagerFactoryInst = null;

public SSLNegotiation(Socket socket) {
this.socket = socket;
host = socket.getInetAddress().getHostName();
port = socket.getPort();
}

public SSLNegotiation(String host, int port) {
this.host = host;
this.port = port;
}

public SSLNegotiation(Socket socket, String host, int port) {
this.socket = socket;
this.host = host;
this.port = port;
}

public void importKeyStore(String ks, String ksp) {
importKeyStore(ks, ksp, ksp);
}

public void importKeyStore(String ks, String ksp, String kp) {
keyStore = ks;
keyStorePass = ksp.toCharArray();
keyPassword = kp.toCharArray();
}

public void setInstance(String content, String ks, String kmf, String
tmf) {
sslContextInst = content;
keyStoreInst = ks;
keyManagerFactoryInst = kmf;
trustManagerFactoryInst = tmf;
}

public Socket startNegotiation(boolean connectServer) {
KeyStore ks = null;
KeyManagerFactory kmf = null;
SSLContext sslContext = null;
SSLSocket sslSocket = null;

try {
ks = KeyStore.getInstance(keyStoreInst);
ks.load(this.getClass().getResourceAsStream(keyStore),
keyStorePass);
kmf = KeyManagerFactory.getInstance(keyManagerFactoryInst);
kmf.init(ks, keyPassword);
sslContext = SSLContext.getInstance(sslContextInst);
if (trustManagerFactoryInst == null)
sslContext.init(kmf.getKeyManagers(), null, null);
else {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(trustManagerFactoryInst);
tmf.init(ks);
sslContext.init(kmf.getKeyManagers(),
tmf.getTrustManagers(),
new java.security.SecureRandom());
}

SSLSocketFactory factory = sslContext.getSocketFactory();

if (socket != null)
sslSocket = (SSLSocket) factory.createSocket(socket, host, port,
false);
else
sslSocket = (SSLSocket) factory.createSocket(host, port);

sslSocket.setUseClientMode(connectServer);
sslSocket.setEnabledCipherSuites(sslSocket.getSupportedCipherSuites());
if (connectServer)
sslSocket.startHandshake();

} catch (UnknownHostException uhe) {
uhe.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
} finally {
return sslSocket;
}
}
}
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top