Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / First Aid / July 2005

Tip: Looking for answers? Try searching our database.

Solution - Verisign expired root CA and "No trusted certificate found" using JSSE

Thread view: 
Enable EMail AlertsStart New Thread
Neill - 29 Jul 2005 08:40 GMT
Not sure where to start with this one, my frustration over not being able to
find ANY documentation regarding a relatively common problem, the process I
followed to find the solution, or just post the solution. Either way, it's
aggravating to the extreme to bump up against the divide between the
programming elite, and ordinary programmers like myself, only to find the
barrier to the information to be nothing less than kindergarten antics,
corporate indifference, or just plain laziness on the part of those who have
gone before, not to blaze the trail.

Problem - when attempting to establish a client SSLSocket connection to a
server, "javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found" is
thrown.

The solution was a bit elusive. Posts to newsgroups and other forums dealt
with accepting self-signed certificates and involved using the keytool to
import the server public key, but I was only trying to establish a
connection to a server. The cacerts file existed in the /jre/lib/security
directory, and I tried setting a number of System properties with no results
until using System.setProperty ("javax.net.debug", "all"); which lead me to
believe the problem may be in the cacerts file. The keytool threw an
exception using -printcerts, so I was able to use iKeyman in the WebSphere
distribution to view the certificates in the file. I was able to determine
the Verisign root CA was expired, and stumbled on to the new root CA on the
Verisign site at https://getca.verisign.com/update.html. Click on accept,
save the .cer file, and import it into "cacerts" using keytool. I used
iKeyman and deleted the expired certificates. This solved the immediate
problem, and I am able to get back on track working on the shopping cart
application I've been working on off and on.

Of course, if you're not a masochist, you can simply d/l the latest JDK from
Sun, which addresses the issue since JDK 1.4.2_03 (I'm using 1.4.2-b28, note
to self: d/l latest version.) as described in the support document on Sun's
website  at http://www.java.com/en/download/help/cacerts.xml.

It's surprising to me that the support doc isn't better catalogued so that
someone may actually find it. I suppose I could be thankful, because it
allowed me the opportunity to learn something on my own. I think that's a
red herring, however, because there are a handful of posts out there,
including mine, which went by unnoticed by the elite or lazy, too busy
chasing their own herring to respond, I suppose.

TODO: add rate this article feature to blog site

Posted online at
http://www.laneyconsulting.com/web/blog.nsf/plinks/NLAY-6ER9CF

Signature

Neill Laney
http://www.laneyconsulting.com

Reply to this Message
Steve Sobol - 29 Jul 2005 17:43 GMT
> Not sure where to start with this one, my frustration over not being able to
> find ANY documentation regarding a relatively common problem, the process I
> followed to find the solution, or just post the solution.

Neill,

As an alternative solution, I have a class which loads a keystore from a
URL. I used it for a program that speaks XMLRPC to an SSL website that has a
not-widely-recognized SSL certificate, which otherwise would cause JSSE to
refuse to connect to the site. If you want me to, or if anyone else is
interested, I'll post the code on my blog. It's pretty simple.

Signature

Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: sjsobol@JustThe.net Snail: 22674 Motnocab Road, Apple Valley, CA 92307

Reply to this Message
Neill - 29 Jul 2005 22:13 GMT
> > Not sure where to start with this one, my frustration over not being able to
> > find ANY documentation regarding a relatively common problem, the process I
[quoted text clipped - 7 lines]
> refuse to connect to the site. If you want me to, or if anyone else is
> interested, I'll post the code on my blog. It's pretty simple.

Thanks for the response. For posterity, here's my code to establish an SSL
connection. If you want to reply with your keystore class for completeness,
please do.

BTW, the following is standard stuff, and can be found in any number of
posts by others -

SSLSocket sslSocket = null;
String hostName = "www.myhost.com";
try {
 /*
  * Before any application data is sent or received, the
  * SSL socket will do SSL handshaking first to set up
  * the security attributes.
  *
  * SSL handshaking can be initiated by either flushing data
  * down the pipe, or by starting the handshaking by hand.
  *
  * Handshaking is started manually in this example because
  * PrintWriter catches all IOExceptions (including
  * SSLExceptions), sets an internal error flag, and then
  * returns without rethrowing the exception.
  *
  * Unfortunately, this means any error messages are lost,
  * which caused lots of confusion for others using this
  * code.  The only way to tell there was an error is to call
  * PrintWriter.checkError().
  */
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  SSLSocketFactory sslFactory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
  sslSocket = (SSLSocket) sslFactory.createSocket(hostName, 443);
  System.out.print(hostName + ": starting handshake ... ");
  sslSocket.startHandshake();
  System.out.println("completed");
  //do something here
} catch (Exception e) {
  System.out.println(e.getMessage());
} finally {
  if (sslSocket != null)
  sslSocket.close();
}

Once the socket connection has been established, a request/response can be
posted/read, then close the socket -

 PrintWriter out =
  new PrintWriter(
   new BufferedWriter(
    new OutputStreamWriter(sslSocket.getOutputStream())));
 /*
  *   write to out
  */
 outToStream("some string");
 out.flush();
 /*
  * Make sure there were no surprises
  */
 if (out.checkError())
  System.out.println(
   "SSLSocketClient:  java.io.PrintWriter error");

 /* read response */
 BufferedReader in =
  new BufferedReader(
   new InputStreamReader(sslSocket.getInputStream()));

 StringBuffer buffer = new StringBuffer("");
 String inputLine;
 while ((inputLine = in.readLine()) != null) {
  buffer.append(inputLine);
 }
 in.close();
 out.close();

Signature

Neill Laney
http://www.laneyconsulting.com

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.