How to ignore invalid SSL Certificates

Discussion in 'Java' started by Snyke, Mar 5, 2006.

  1. Snyke

    Snyke Guest

    Hi everybody :)

    I'm trying to build an application that serves as a Client Side
    frontend for a webpage using HttpClient 2. Because I have some security
    problems I decided that using https would be nice, but my SSL
    certificates continue to fail validation and I'm wondering wether it is
    possible to let HttpClient ignore Certification Failures? And if yes,
    could you please give me a working example?

    Greets,
     
    Snyke, Mar 5, 2006
    #1
    1. Advertisements

  2. Hey Snyke,

    In Mozilla you can check a certificate to accept it always, you can not
    block those warnings (security issues in webbrowsers). In IE you can install
    a base certificate (if this is accepted) to drop future warnings. This works
    sepperate for every user in your network.

    Greetings,

    René
     
    René Beltman, Mar 5, 2006
    #2
    1. Advertisements

  3. Snyke,

    You need to import the fake SSL certificate authority into a key file.
    Do that using the keytool (provided with Sun's JDK). Then in your java
    program do the following before invoking any URL connections:

    // Used to get the ssl certificates for https
    System.setProperty
    ("javax.net.ssl.trustStore", "/path/to/keyfile");
    System.setProperty
    ("javax.net.ssl.trustStorePassword", "YourPassword");

    -Missaka
     
    Missaka Wijekoon, Mar 6, 2006
    #3
  4. Snyke

    Snyke Guest

    Thank you Missaka,

    I'll try that as soon as possible, have you a good resource on how to
    do this, I'm pretty new to the SSL Stuff you know?

    Greets,
     
    Snyke, Mar 6, 2006
    #4
  5. Snyke

    Snyke Guest

    Ok so by now I was able to import the certificates into a
    truststore.jks file using the following commands:

    # wget
    http://www.switch.ch/aai/federation/SWITCHaai/swisssignca.PEM.crt
    # keytool -import -v -trustcacerts -alias swisssignca -file
    ../swisssignca.PEM.crt -keystore ./truststore.jks

    And it seems to go alright because if I try to import the certificate
    again it tells me that the certificate is already there.
    I imported the same certificate into my browser and Firefox stopped
    complaining about untrusted certificates at once, but I can't get the
    code to work in Java. I used the code you posted above but it doesn't
    seem to work...

    Any ideas?

    Thanks alot
     
    Snyke, Mar 7, 2006
    #5
  6. Snyke

    Snyke Guest

    Now this is getting really dodgy:
    when I run the stuff without the certificate import I get the following
    error:
    which is absolutely fine for me as this is expected.
    But when I run the code with my custom certificates I get the
    following:
    which is what I don't like at all. What does this mean and how do I fix
    it?

    Thanks for your time,
     
    Snyke, Mar 7, 2006
    #6
  7. Snyke

    Roedy Green Guest

    see http://mindprod.com/jgloss/keyman.html

    It is a gui equivalent of keytool that lets you see better what is
    going on.
     
    Roedy Green, Mar 8, 2006
    #7
  8. You might be importing the wrong certificate. The certificate authority
    is used in generating the keys for the web server. That's the one you
    would need to import.

    -Missaka
     
    Missaka Wijekoon, Mar 9, 2006
    #8
  9. Snyke

    Snyke Guest

    Mhz,
    ok so far I tried all of the three certificates I got:
    - SWITCH_CA.pem
    - SWITCH_Personal.pem
    - SWITCH_Server.pem
    with server and personal it just tells me that there is no suitable
    certificate found while for the CA I get the "End user tried to act as
    CA"-Exception.
    How do I know how the certificates depend on each other? Possibly I'd
    like to know how to know from FireFox how to know which is the
    certificate I imported.

    Thanks,
    Christian 'Snyke' Decker
    http://www.Snyke.net
     
    Snyke, Mar 12, 2006
    #9
  10. Snyke

    Snyke Guest

    This is definitely fishy:
    As I understand it I have to accept a certificate that signed either
    the certificate of the SSL connection or a parent of it (recursively),
    or what?
    Ok so as soon as I import a parent certificate into my truststore I get
    the "End user tried to act as CA"-Error which is pretty annoying.
    I tried to look at the certificates in Firefox and that's what came
    out:
    http://flickr.com/photos/snyke/111088778/
    and if I import the SWITCH CA certificate
    http://flickr.com/photos/snyke/111088777/
    notice that the Serial Numbers are identical and when trying to import
    the certificate again Firefox complains that the certificate already
    exists.
    What am I doing wrong???

    javax.net.ssl.SSLHandshakeException:
    sun.security.validator.ValidatorException: End user tried to act as a
    CA
    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
    at
    java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
    at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
    at
    org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
    at
    org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
    at
    org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
    at
    org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:395)
    at
    org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    at
    org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    at
    org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
    at net.snyke.sms.Sender.login(Sender.java:67)
    at net.snyke.sms.Sender.sendMessage(Sender.java:46)
    at net.snyke.sms.testSender.testSendMessage(testSender.java:16)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at junit.framework.TestCase.runTest(TestCase.java:154)
    at junit.framework.TestCase.runBare(TestCase.java:127)
    at junit.framework.TestResult$1.protect(TestResult.java:106)
    at junit.framework.TestResult.runProtected(TestResult.java:124)
    at junit.framework.TestResult.run(TestResult.java:109)
    at junit.framework.TestCase.run(TestCase.java:118)
    at junit.framework.TestSuite.runTest(TestSuite.java:208)
    at junit.framework.TestSuite.run(TestSuite.java:203)
    at
    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:478)
    at
    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:344)
    at
    org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
    Caused by: sun.security.validator.ValidatorException: End user tried to
    act as a CA
    at
    sun.security.validator.SimpleValidator.checkBasicConstraints(SimpleValidator.java:239)
    at
    sun.security.validator.SimpleValidator.checkExtensions(SimpleValidator.java:158)
    at
    sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:143)
    at sun.security.validator.Validator.validate(Validator.java:202)
    at
    com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
    at
    com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
    ... 35 more

    Thanks,
    Christian 'Snyke' Decker
    http://www.Snyke.net
     
    Snyke, Mar 12, 2006
    #10
  11. Snyke

    Snyke Guest

    Man it can't be that hard to simply ignore those SSL-Certificates, can
    it?
    I'm still trying, but can't do anything...
    Any idea?
     
    Snyke, Mar 27, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.