Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / December 2005

Tip: Looking for answers? Try searching our database.

Trusting ceritificates where CN does not match website hostname

Thread view: 
Enable EMail AlertsStart New Thread
js - 12 Dec 2005 04:41 GMT
JDK 1.4.2_08

I am getting the following exception:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
 at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
 at
org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:224)

I have imported the certificate into the cacerts file via keytool -import.

However, my problem is that, the operator has setup a development and
production website, where the hostname naturally differs ... but both
development and production URLs have the same certificate.

That is, the production, Verisign-signed server certificate is the same
certificate on the development website. This ceritificate, therefore, has
the common-name ( CN ) set to the hostname of the production website.

Thus, even if I import the certificate into the cacerts file, because the
server certificate' CN does not match hostname of the website, I get the
exception above when connecting to their development website.

Apart from implementing DummyTrustManager as per this article:

       http://www.javaworld.com/javatips/jw-javatip115.html

... which I'd rather not, is there any other workaround ??
Reply to this Message
Roedy Green - 12 Dec 2005 06:32 GMT
>I have imported the certificate into the cacerts file via keytool -import.

If you check your machine, there may be dozens of cacerts files. Make
sure you have the right one.  See
http://mindprod.com/jgloss/cacerts.html
Signature

Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Reply to this Message
js - 13 Dec 2005 01:16 GMT
>>I have imported the certificate into the cacerts file via keytool -import.
>
> If you check your machine, there may be dozens of cacerts files. Make
> sure you have the right one.  See
> http://mindprod.com/jgloss/cacerts.html

I am sure I have the right imported into correct cacerts file.

The problem is that, normally, even for a development server with a
self-signed server certificate, the CN on the server certificate matches
the hostname the development server URL. But in this case, the CN does not
match, and hence, importing it into the server certificate into cacerts
file will not work.

I have worked around this for now by using overriding a TrustManager to
trust the server no matter what.
Reply to this Message
Roedy Green - 13 Dec 2005 02:10 GMT
>The problem is that, normally, even for a development server with a
>self-signed server certificate, the CN on the server certificate matches
[quoted text clipped - 4 lines]
>I have worked around this for now by using overriding a TrustManager to
>trust the server no matter what.

This is as it should be.  Otherwise you could buy a cert for company A
then use it all over the place where it was not certified.
Signature

Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Reply to this Message
Chris Smith - 13 Dec 2005 15:29 GMT
> This is as it should be.  Otherwise you could buy a cert for company A
> then use it all over the place where it was not certified.

I hope you don't expect us to cry over potential lost revenue for
Verisign...

In any case, the point behind verifying the CN on a server certificate
is that you protect against man-in-the-middle attacks, in which a router
or DNS server is compromised so that when the user tries to visit
www.paypal.com, they are actually redirected over to a different site
instead.  Since Verisign (or Thawte, or whoever) supposedly won't issue
a certificate with a CN of "www.paypal.com" except to the owner of that
site, the attacker would be unable to obtain a certificate with the
correct CN.

Signature

www.designacourse.com
The Easiest Way To Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.