How to ignore invalid SSL Certificates

[Snyke]

Hi everybody

I'm trying to build an application that serves as a Client Side
frontend for a webpage using HttpClient 2. Because I have some security
problems I decided that using https would be nice, but my SSL
certificates continue to fail validation and I'm wondering wether it is
possible to let HttpClient ignore Certification Failures? And if yes,
could you please give me a working example?

Greets,

 

[René Beltman]

Hey Snyke,

In Mozilla you can check a certificate to accept it always, you can not
block those warnings (security issues in webbrowsers). In IE you can install
a base certificate (if this is accepted) to drop future warnings. This works
sepperate for every user in your network.

Greetings,

René

 

[Missaka Wijekoon]

Hi everybody

I'm trying to build an application that serves as a Client Side
frontend for a webpage using HttpClient 2. Because I have some security
problems I decided that using https would be nice, but my SSL
certificates continue to fail validation and I'm wondering wether it is
possible to let HttpClient ignore Certification Failures? And if yes,
could you please give me a working example?

Greets,

Snyke,

You need to import the fake SSL certificate authority into a key file.
Do that using the keytool (provided with Sun's JDK). Then in your java
program do the following before invoking any URL connections:

// Used to get the ssl certificates for https
System.setProperty
("javax.net.ssl.trustStore", "/path/to/keyfile");
System.setProperty
("javax.net.ssl.trustStorePassword", "YourPassword");

-Missaka

 

[Snyke]

Thank you Missaka,

I'll try that as soon as possible, have you a good resource on how to
do this, I'm pretty new to the SSL Stuff you know?

Greets,

 

[Snyke]

Ok so by now I was able to import the certificates into a
truststore.jks file using the following commands:

# wget
http://www.switch.ch/aai/federation/SWITCHaai/swisssignca.PEM.crt
# keytool -import -v -trustcacerts -alias swisssignca -file
../swisssignca.PEM.crt -keystore ./truststore.jks

And it seems to go alright because if I try to import the certificate
again it tells me that the certificate is already there.
I imported the same certificate into my browser and Firefox stopped
complaining about untrusted certificates at once, but I can't get the
code to work in Java. I used the code you posted above but it doesn't
seem to work...

Any ideas?

Thanks alot

 

[Snyke]

Now this is getting really dodgy:
when I run the stuff without the certificate import I get the following
error:

sun.security.validator.ValidatorException: No trusted certificate found

which is absolutely fine for me as this is expected.
But when I run the code with my custom certificates I get the
following:

sun.security.validator.ValidatorException: End user tried to act as a CA

which is what I don't like at all. What does this mean and how do I fix
it?

Thanks for your time,

 

[Roedy Green]

And it seems to go alright because if I try to import the certificate
again it tells me that the certificate is already there.
I imported the same certificate into my browser and Firefox stopped
complaining about untrusted certificates at once, but I can't get the
code to work in Java. I used the code you posted above but it doesn't
seem to work...

Any ideas?

see http://mindprod.com/jgloss/keyman.html

It is a gui equivalent of keytool that lets you see better what is
going on.

 

[Missaka Wijekoon]

Now this is getting really dodgy:
when I run the stuff without the certificate import I get the following
error:




which is absolutely fine for me as this is expected.
But when I run the code with my custom certificates I get the
following:




which is what I don't like at all. What does this mean and how do I fix
it?

You might be importing the wrong certificate. The certificate authority
is used in generating the keys for the web server. That's the one you
would need to import.

-Missaka

 

[Snyke]

Mhz,
ok so far I tried all of the three certificates I got:
- SWITCH_CA.pem
- SWITCH_Personal.pem
- SWITCH_Server.pem
with server and personal it just tells me that there is no suitable
certificate found while for the CA I get the "End user tried to act as
CA"-Exception.
How do I know how the certificates depend on each other? Possibly I'd
like to know how to know from FireFox how to know which is the
certificate I imported.

Thanks,
Christian 'Snyke' Decker
http://www.Snyke.net

 

[Snyke]

This is definitely fishy:
As I understand it I have to accept a certificate that signed either
the certificate of the SSL connection or a parent of it (recursively),
or what?
Ok so as soon as I import a parent certificate into my truststore I get
the "End user tried to act as CA"-Error which is pretty annoying.
I tried to look at the certificates in Firefox and that's what came
out:
http://flickr.com/photos/snyke/111088778/
and if I import the SWITCH CA certificate
http://flickr.com/photos/snyke/111088777/
notice that the Serial Numbers are identical and when trying to import
the certificate again Firefox complains that the certificate already
exists.
What am I doing wrong???

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: End user tried to act as a
CA
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at
org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
at
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:395)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at net.snyke.sms.Sender.login(Sender.java:67)
at net.snyke.sms.Sender.sendMessage(Sender.java:46)
at net.snyke.sms.testSender.testSendMessage(testSender.java:16)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at junit.framework.TestCase.runTest(TestCase.java:154)
at junit.framework.TestCase.runBare(TestCase.java:127)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:208)
at junit.framework.TestSuite.run(TestSuite.java:203)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:478)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:344)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
Caused by: sun.security.validator.ValidatorException: End user tried to
act as a CA
at
sun.security.validator.SimpleValidator.checkBasicConstraints(SimpleValidator.java:239)
at
sun.security.validator.SimpleValidator.checkExtensions(SimpleValidator.java:158)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:143)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
... 35 more

Thanks,
Christian 'Snyke' Decker
http://www.Snyke.net

 

[Snyke]

Man it can't be that hard to simply ignore those SSL-Certificates, can
it?
I'm still trying, but can't do anything...
Any idea?