HTTPS with JSSE --- Use SSLSocketFactory or not


J

John Salvo

JDK 1.3.1 ( Linux, Solaris, and Windows )
JSSE 1.0.3_02

I am doing an HTTPS POST to a webserver that is not under my control and
that uses a self-signed certificate. This webserver requires client
authentication as well ... so I have a PKCS12 file given to me.

I have imported the CA of the webserver into my
/jdk1.3.1/jre/lib/security/cacerts file via keytool, verified it is there.

I have also checked that I can read the PKCS12 file via keytool as well.
I have specified the PKCS12 file via:
-Djavax.net.ssl.keyStore --- for the PKCS12 file itself
-Djavax.net.ssl.keyStoreType --- PKCS12
-Djavax.net.ssl.keyStorePass --- passphrase

I also added:
-Djavax.net.debug=all


Now here is the problem:

1) I was originally relying on URL.openConnetion() to return me a
URLConnection, and then case that to a HttpConnection.

However, the handshake does not seem to work.


2) If I instead directly create the SSLSocket like this:

SSLContext sslc;
KeyManagerFactory kmf;
KeyStore ks;

ks = KeyStore.getInstance(keyStoreType);
ks.load(new FileInputStream(keyStoreFile), passphrase);
kmf = KeyManagerFactory.getInstance("SunX509");
sslc = SSLContext.getInstance("TLS");
kmf.init(ks, passphrase);
sslc.init(kmf.getKeyManagers(), null, null);
SSLSocketFactory factory = sslc.getSocketFactory();

SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
socket.startHandshake();

.... the handshaking works



Comparing both the packet capture via ethereal and the debugging output
from JSSE, it is turning out that item [1] is not sending the client
certificate, despite the fact that the properties
javax.net.ssl.keystore, javax.net.ssl.keystoreType, and
javax.net.ssl.keystorePass are all specified from the command line.


Any ideas?


--------------------------------------------
Here is the output from JSSE debugging in the case of [2], where the
client cert was sent:

java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Djavax.net.ssl.keyStore=C:\workarea\o2\MobileInternetRef.p12
-Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePass=xxxxx
-Djavax.net.debug=all -classpath
classes;/cvs/softgame-latest/development/classes;/java/libs/jaxp-api.jar;/java/libs/dom.jar;/java/libs/sax.jar;/java/libs/xercesImpl.jar;/java/libs/mmsdriver.jar;/java/libs/smppapi.jar;/java/libs/commons-logging.jar;/java/libs/mail.jar;/xmlrpc-1.2-b1/xmlrpc-1.2-b1.jar
XMLRPC
***
found key for : 1
chain [0] = [
[
Version: V1
Subject: CN=smsoar_10091_default, OU=customers, O=smsoar, C=gb
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: [email protected]
Validity: [From: Fri Aug 29 04:34:29 EST 2003,
To: Mon Aug 26 04:34:29 EST 2013]
Issuer: CN=self CA, OU=SMS Open Architecture, O=O2online, C=GB
SerialNumber: [ e3]

]
Algorithm: [MD5withRSA]
Signature:
<....snip....>
]
***
trustStore is: c:\jdk1.3.1\jre\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert: [
<....snip....>


--------------------------------------------
Here is the output from JSSE debugging in the case of [1] ( using
URL.openConnetion() ), where the client cert was NOT sent. You will
notice below that it did NOT load the keyStore like it did above before
loading the trustStore. This one went straight away to loading the
trustStore.


java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Djavax.net.ssl.keyStore=C:\workarea\o2\MobileInternetRef.p12
-Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePass=xxxxx
-Djavax.net.debug=all -classpath
classes;/cvs/softgame-latest/development/classes;/java/libs/jaxp-api.jar;/java/libs/dom.jar;/java/libs/sax.jar;/java/libs/xercesImpl.jar;/java/libs/mmsdriver.jar;/java/libs/smppapi.jar;/java/libs/commons-logging.jar;/java/libs/mail.jar;/xmlrpc-1.2-b1/xmlrpc-1.2-b1.jar
XMLRPC
keyStore is : C:\workarea\o2\MobileInternetRef.p12
keyStore type is : PKCS12
init keystore
init keymanager of type SunX509
trustStore is: c:\jdk1.3.1\jre\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert: [
<....snip....>


Regards,

John
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top