Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / November 2003

Tip: Looking for answers? Try searching our database.

JSSE and OpenSSL 0.9.7 incompatible

Thread view: 
Enable EMail AlertsStart New Thread
Robert Strötgen - 21 Nov 2003 19:15 GMT
Hello!

I have some code using Java as a https client using ssl client
authentication. Server is an Apache 2.0.x with mod_ssl and OpenSSL.

I tested the code with OpenSSL version 0.9.6h and everything worked ok.
After updating the server to version 0.9.7c I get the following error
message:

main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: End user tried to act as a CA

There are no differences using JSSE 1.0.3 or the JSSE in Sun JDK 1.4.2.

Using OpenSSL 0.9.7c s_client I don't have any problems as well.

Are there any known incompatibilities between JSSE and OpenSSL 0.9.7?
Has anyone a running solution or workaround?

TIA,
Robert Strötgen. :)

Signature

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Robert Strötgen
  mailto:robert@stroetgen.de              http://www.stroetgen.de/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply to this Message
Don's - 24 Nov 2003 19:20 GMT
Hi,

Maybe you use an OpenSSL test certificate in your Apache which is
self-signed and is for test only.
Your problem seems to be that this certificate is not trust by your client.
You can try to import it in your java jeystore.
You should be able to rpoduce the same error usiong openssl s_client with
some certifcate verify on.

Hope it could help.
Fred

> Hello!
>
[quoted text clipped - 26 lines]
>    mailto:robert@stroetgen.de              http://www.stroetgen.de/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reply to this Message
Robert Strötgen - 26 Nov 2003 20:30 GMT
Hi Fred!

> Maybe you use an OpenSSL test certificate in your Apache which is
> self-signed and is for test only.

No, I use a certificate that I signed with our own CA. This CA is signed
by a PCA.

> Your problem seems to be that this certificate is not trust by your client.
> You can try to import it in your java jeystore.

The certificate of the PCA that signed our CA is in our java truststore.

> You should be able to rpoduce the same error usiong openssl s_client with
> some certifcate verify on.

OpenSSL's s_client works without problem. Only JSSE complians about the
certificate. :-(

Any other idea?

Thanks, and best regards,
Robert. :)

Signature

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Robert Strötgen
  mailto:robert@stroetgen.de              http://www.stroetgen.de/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.