You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by sudip shrestha <su...@gmail.com> on 2006/05/05 18:20:02 UTC
SSLHandshakeException with apache+tomcat httpd server
Hi,
I have apache httpd 2.0 server working with Tomcat 5.5.7 that server dynamic
contents. Only HTTPS requests are allowed by this server. We have a
trusted certificate from a CA, comodo. I have written an applet that needs
to talk to this server via ssl.
I have added the cert from the CA to the jdk keystore with: keytool -import
-file mydomain.com.crt.
So, when I use this piece of code below to make a connection I get an
Exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path buil
ding failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid
certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown
Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown
Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at
org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
(HttpConnectio
n.java:827)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(
HttpMethodBase.java:1975)
at org.apache.commons.httpclient.HttpMethodBase.execute(
HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
(HttpMethodDirecto
r.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
HttpMethodDirector.j
ava:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:324)
at main.main(main.java:54)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requ
ested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source
)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source
)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid ce
rtification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 23 more
----------------------------------------------------------------
Test Code:
---------------
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod("https://mydomain.com/");
try {
* //Protocol easyhttps = new Protocol("https", new
EasySSLProtocolSocketFactory(), 443);
//Protocol.registerProtocol("https", easyhttps);*
httpclient.executeMethod(httpget);
System.out.println( httpget.getStatusLine() );
} catch(Exception e) {
e.printStackTrace();
} finally {
httpget.releaseConnection();
}
----------------------------------------------------------------
I have tried this with/without the *EasySSLProtocolSocketFactory and I get
the same result. Searched through the archive but could not move forward.
In my case, all the SSL requests are handled by apache first, so is there
something else that I have to do to make it work?... thanks....
*
Re: Fwd: SSLHandshakeException with apache+tomcat httpd server
Posted by sudip shrestha <su...@gmail.com>.
Thanks Julius, Your solution is much easier to work with than the one I put
together.
On 5/6/06, Julius Davies <ju...@cucbc.com> wrote:
>
> Hi, Sudip,
>
> I think I have a solution.
>
> You will need to download the latest version of "commons-ssl.jar" that I
> am working on. It now includes modified versions of the "
> org.apache.commons.httpclient.contrib.ssl" classes.
>
> http://juliusdavies.ca/commons-ssl/
>
> I've created a TrustExample.java file for you. Try running its main
> method with the following jars in your classpath:
>
> commons-codec.jar
> commons-httpclient.jar
> commons-logging.jar
> commons-ssl.jar
>
> It should output the following:
>
> HTTPClient: HTTP/1.1 200 OK
> Java: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate found
>
>
> Here's are two links to TrustExample.java (the second link uses HTML for
> syntax highlighting):
>
> http://juliusdavies.ca/commons-ssl/TrustExample.java
> http://juliusdavies.ca/commons-ssl/TrustExample.java.html
>
> I hope this helps. Thanks for your help testing the proxy feature of my
> commons-ssl Ping utility! I'm glad to hear it works!
>
>
> yours,
>
> Julius
>
>
> -----Original Message-----
> From: sudip shrestha [mailto:sudipx@gmail.com]
> Sent: Fri 5/5/2006 7:13 PM
> To: Julius Davies
> Cc:
> Subject: Re: Fwd: SSLHandshakeException with apache+tomcat httpd
> server
>
> It seemed to work ok.... I am sort of wondering how do I attach the
> my.keystore file with the applet.
>
> This was the output:
> --------------------------------
>
> HEAD / HTTP/1.1
> Host: mydomain.com
>
> Reading:
>
> ================================================================================
> HTTP/1.1 302 Moved Temporarily
> Date: Sat, 06 May 2006 02:05:19 GMT
> Server: Apache
> Set-Cookie: JSESSIONID=87BD0090FE9C884140543A2F3662D0EE; Path=/; Secure
> Location:
>
> https://mydomain/actions/checkSession.do;jsessionid=87BD0090FE9C884140543A2F3662D0EE?method=checkSession
> Content-Type: httpd/unix-directory
>
> Server Certificate Chain for: [mydomain.com/ipaddx:443]
>
> ================================================================================
> s.0: CN=mydomain.com, OU=InstantSSL, OU=IS, O=xxx, STREET=addr,
> STREET=xxx,
> L=xx, ST=xx, OID.add=00000-1892, C=US
> i.0: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
> O=AddTrust AB, C=SE
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> s.1: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
> O=AddTrust AB, C=SE
>
> i.1: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
> USERTRUST
> Network, L=Salt Lake City, ST=UT, C=US
> -----BEGIN CERTIFICATE-----
> MIIETzCCAzegAwIBAgIQHM5EYpUZep1jUvnyI6m2mDANBgkqhkiG9w0BAQUFADCB
> lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
> Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
> dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
> SGFyZHdhcmUwHhcNMDUwNjA3MDgwOTEwWhcNMTkwNzA5MTgxOTIyWjBvMQswCQYD
> VQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0
> IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5h
> bCBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/caM+by
> AAQtOeBOW+0fvGwPzbX6I7bO3psRM5ekKUx9k5+9SryT7QMa44/P5W1QWtaXKZRa
> gLBJetsulf24yr83OC0ePpFBrXBWx/BPP+gynnTKyJBU6cZfD3idmkA8Dqxhql4U
> j56HoWpQ3NeaTq8Fs6ZxlJxxs1BgCscTnTgHhgKo6ahpJhiQq0ywTyOrOk+E2N/O
> n+Fpb7vXQtdrROTHre5tQV9yWnEIN7N5ZaRZoJQ39wAvDcKSctrQOHLbFKhFxF0q
> fbe01sTurM0TRLfJK91DACX6YblpalgjEbenM49WdVn1zSnXRrcKK2W200JvFbK4
> e/vv6V1T1TRaJwIDAQABo4G9MIG6MB8GA1UdIwQYMBaAFKFyXyYbKJhDlV0HN9WF
> lp1L0sNFMB0GA1UdDgQWBBStvZh6NLQm9/rEJlTvA73gJMtUGjAOBgNVHQ8BAf8E
> BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAQIwRAYDVR0f
> BD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmly
> c3QtSGFyZHdhcmUuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQByQhANOs4kClrwF8BW
> onvUOGCSjRK52zYZgDXYNjDtmr5rJ6NyPFDNn+JxkLpjYetIFMTbSRe679Bt8m7a
> gIAoQYFQtxMuyLnJegB2aEbQiIxh/tC21UcFF7ktdnDoTlA6w3pLuvunaI84Of3o
> 2YBrhzkTbCfaYk5JRlTpudW9DkUkHBsyx3nknPKnplkIGaK0jgn8E0n+SFabYaHk
> I9LroYT/+JtLefh9lgBdAgVv0UPbzoGfuDsrk/Zh+UrgbLFpHoVnElhzbkh64Z0X
> OGaJunQc68cCZu5HTn/aK7fBGMcVflRCXLVEQpU9PIAdGA8Ynvg684t8GMaKsRl1
> jIGZ
> -----END CERTIFICATE-----
>
>
>
>
>
> On 5/5/06, Julius Davies <ju...@cucbc.com> wrote:
> >
> > Hi, Sudip,
> >
> > Thanks for your interesting question! I added a "proxy" option to the
> > "commons-ssl.jar" tool.
> >
> > I realize you've already progressed on your problem, but would you mind
> > testing this option for me?
> >
> > Here's the lastest version:
> >
> > http://juliusdavies.ca/commons-ssl/
> >
> > In particular:
> >
> > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> >
> >
> > Please try running:
> >
> > java -jar commons-ssl.jar -t [mydomain.com]:443 -r [myproxy.com]:80
> >
> > Does it work?
> >
> >
> >
> > yours,
> >
> > Julius
> >
> >
> >
> ==============================================================================
> > Usage: java -jar commons-ssl.jar [options]
> > Options: (*=required)
> > * -t --target [hostname[:port]] default port=443
> > -b --bind [hostname[:port]] default port=0
> > "ANY"
> > -r --proxy [hostname[:port]] default port=80
> > -c --client-cert [path to client certificate] *.jks or *.pfx
> > -p --password [client cert password]
> >
> > Example:
> >
> > java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat
> > ./pass.txt`
> >
> >
> ==============================================================================
> >
> >
> > On Fri, 2006-05-05 at 15:38 -0500, sudip shrestha wrote:
> > > I am not sure on how to deploy the my.keystore file with the
> > applet? Thanks
> > > for any suggestions.
> > >
> > > ---------- Forwarded message ----------
> > > From: sudip shrestha <su...@gmail.com>
> > > Date: May 5, 2006 2:08 PM
> > > Subject: Re: SSLHandshakeException with apache+tomcat httpd server
> > > To: Julius Davies <ju...@cucbc.com>
> > >
> > > Hi,
> > > OK... This is what I did and fixed my problem:
> > > 1. I first got my keystore from CA-cert:
> > > keytool -import -trustcacerts -keystore my.keystore -file
> > > mydomain.com.crt-alias mydomainkey
> > > 2. Then added a line before creating new Protocol object with
> > > StrictSSLProtocolSocketFactory:
> > > ------------------
> > > System.setProperty("javax.net.ssl.trustStore", "my.keystore");
> > >
> > > Protocol stricthttps = new Protocol( "https", new
> > > StrictSSLProtocolSocketFactory(true), 443);
> > > httpclient.getHostConfiguration().setHost("mydomain.com", 443,
> > > stricthttps);
> > >
> > > httpclient.executeMethod( httpget );
> > > System.out.println( new String( httpget.getResponseBody () ) );
> > >
> > > System.out.println( httpget.getStatusLine() );
> > > ------------------
> > > Then, I was able to get secure urls normally from mydomain.com. But
> now
> > I
> > > am wondering how do I put my.keystore file in the client machine, as
> > these
> > > urls will be accessed by an Applet.
> > >
> > >
> > >
> > > On 5/5/06, sudip shrestha < sudipx@gmail.com> wrote:
> > > >
> > > > Julius, Thanks for your replay. We have a proxy server to go
> thru...
> > How
> > > > do I define a proxy server/port in command line with java -jar
> > > > commons-ssl.jar -t [ mydomain.com]:443?
> > > >
> > > > Because, right now, this is all I get:
> > > > java.net.SocketTimeoutException: connect timed out
> > > > at java.net.PlainSocketImpl.socketConnect(Native Method)
> > > > at java.net.PlainSocketImpl.doConnect (Unknown Source)
> > > > at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
> > > > at java.net.PlainSocketImpl.connect(Unknown Source)
> > > > at java.net.SocksSocketImpl.connect(Unknown Source)
> > > > at java.net.Socket.connect(Unknown Source)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect
> (Unknown
> > > > Source)
> > > > at org.apache.commons.ssl.SSLClient.createSocket(
> > SSLClient.java
> > > > :189)
> > > > at org.apache.commons.ssl.SSLClient.createSocket (
> > SSLClient.java
> > > > :157)
> > > > at org.apache.commons.ssl.SSLClient.createSocket(
> > SSLClient.java
> > > > :149)
> > > > at org.apache.commons.ssl.Ping.main(Ping.java:136)
> > > >
> > > >
> > > > On 5/5/06, Julius Davies <ju...@cucbc.com> wrote:
> > > > >
> > > > > Hi, Sudip,
> > > > >
> > > > > I'm working on a tool to help diagnose these kinds of
> problems. Can
> > you
> > > > > try this tool and report back on the output?
> > > > >
> > > > > http://juliusdavies.ca/commons-ssl/
> > > > >
> > > > > In particular, download:
> > > > >
> > > > > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> > > > >
> > > > > And then run:
> > > > >
> > > > > java -jar commons-ssl.jar -t [ mydomain.com]:443
> > > > >
> > > > > (You'll have to replace mydomain.com with the server in particular
> > that
> > > > > you are using.)
> > > > >
> > > > > yours,
> > > > >
> > > > > Julius
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: sudip shrestha [mailto:sudipx@gmail.com]
> > > > > Sent: Fri 5/5/2006 9:20 AM
> > > > > To: httpclient-user@jakarta.apache.org
> > > > > Cc:
> > > > > Subject: SSLHandshakeException with apache+tomcat httpd
> > server
> > > > >
> > > > > Hi,
> > > > > I have apache httpd 2.0 server working with Tomcat 5.5.7 that
> server
> > > > > dynamic
> > > > > contents. Only HTTPS requests are allowed by this server. We
> have
> > a
> > > > > trusted certificate from a CA, comodo. I have written an applet
> that
> > > > > needs
> > > > > to talk to this server via ssl.
> > > > > I have added the cert from the CA to the jdk keystore
> with: keytool
> > > > > -import
> > > > > -file mydomain.com.crt.
> > > > >
> > > > > So, when I use this piece of code below to make a connection I get
> > an
> > > > > Exception:
> > > > >
> > > > > javax.net.ssl.SSLHandshakeException:
> > > > > sun.security.validator.ValidatorException: PKIX path buil
> > > > > ding failed:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > > > > unable to find valid
> > > > > certification path to requested target
> > > > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException
> > (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal
> (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > > > Source)
> > > > > at
> > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate
> (Unknown
> > > > > Source)
> > > > > at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
> > > > > (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop
> > (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record
> > (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord
> > (Unknown
> > > > > Source)
> > > > > at
> > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> > > > > (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord
> > > > > (Unknown
> > > > > Source)
> > > > > at com.sun.net.ssl.internal.ssl.AppOutputStream.write
> > (Unknown
> > > > > Source)
> > > > > at java.io.BufferedOutputStream.flushBuffer(Unknown
> Source)
> > > > > at java.io.BufferedOutputStream.flush(Unknown Source)
> > > > > at
> > > > >
> > org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
> > > > > (HttpConnectio
> > > > > n.java:827)
> > > > > at
> org.apache.commons.httpclient.HttpMethodBase.writeRequest(
> > > > > HttpMethodBase.java:1975)
> > > > >
> > > > > at org.apache.commons.httpclient.HttpMethodBase.execute(
> > > > > HttpMethodBase.java:993)
> > > > > at
> > > > > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
> > > > > (HttpMethodDirecto
> > > > > r.java:397)
> > > > > at
> > > > > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> > > > > HttpMethodDirector.j
> > > > > ava:170)
> > > > > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > > > HttpClient.java:396)
> > > > > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > > > HttpClient.java:324)
> > > > > at main.main(main.java:54)
> > > > > Caused by: sun.security.validator.ValidatorException: PKIX path
> > building
> > > > > failed: sun.security .
> > > > > provider.certpath.SunCertPathBuilderException: unable to find
> valid
> > > > > certification path to requ
> > > > > ested target
> > > > > at sun.security.validator.PKIXValidator.doBuild(Unknown
> > Source)
> > > > > at sun.security.validator.PKIXValidator.engineValidate
> (Unknown
> > > > > Source)
> > > > > at sun.security.validator.Validator.validate(Unknown
> Source)
> > > > > at
> > > > >
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> > > > > (Unknown
> > > > > Source
> > > > > )
> > > > > at
> > > > >
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted
> > (Unknown
> > > > > Source
> > > > > )
> > > > > ... 18 more
> > > > > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > > > > unable to find valid ce
> > > > > rtification path to requested target
> > > > > at
> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> > > > > Source)
> > > > > at java.security.cert.CertPathBuilder.build(Unknown
> Source)
> > > > > ... 23 more
> > > > > ----------------------------------------------------------------
> > > > > Test Code:
> > > > > ---------------
> > > > > HttpClient httpclient = new HttpClient();
> > > > > GetMethod httpget = new GetMethod("https://mydomain.com/");
> > > > > try {
> > > > >
> > > > > * //Protocol easyhttps = new Protocol("https", new
> > > > > EasySSLProtocolSocketFactory(), 443);
> > > > > //Protocol.registerProtocol("https", easyhttps);*
> > > > >
> > > > > httpclient.executeMethod(httpget);
> > > > >
> > > > > System.out.println( httpget.getStatusLine() );
> > > > >
> > > > > } catch(Exception e) {
> > > > > e.printStackTrace ();
> > > > > } finally {
> > > > > httpget.releaseConnection();
> > > > > }
> > > > > ----------------------------------------------------------------
> > > > >
> > > > > I have tried this with/without the *EasySSLProtocolSocketFactory
> and
> > I
> > > > > get
> > > > > the same result. Searched through the archive but could not move
> > > > > forward.
> > > > >
> > > > > In my case, all the SSL requests are handled by apache first, so
> is
> > > > > there
> > > > > something else that I have to do to make it work?... thanks....
> > > > > *
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > --
> > Julius Davies
> > Senior Application Developer, Technology Services
> > Credit Union Central of British Columbia
> > http://www.cucbc.com/
> > Tel: 604-730-6385
> > Cel: 604-868-7571
> > Fax: 604-737-5910
> >
> > 1441 Creekside Drive
> > Vancouver, BC
> > Canada
> > V6J 4S7
> >
>
>
>
>
RE: Fwd: SSLHandshakeException with apache+tomcat httpd server
Posted by Julius Davies <ju...@cucbc.com>.
Hi, Sudip,
I think I have a solution.
You will need to download the latest version of "commons-ssl.jar" that I am working on. It now includes modified versions of the "org.apache.commons.httpclient.contrib.ssl" classes.
http://juliusdavies.ca/commons-ssl/
I've created a TrustExample.java file for you. Try running its main method with the following jars in your classpath:
commons-codec.jar
commons-httpclient.jar
commons-logging.jar
commons-ssl.jar
It should output the following:
HTTPClient: HTTP/1.1 200 OK
Java: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Here's are two links to TrustExample.java (the second link uses HTML for syntax highlighting):
http://juliusdavies.ca/commons-ssl/TrustExample.java
http://juliusdavies.ca/commons-ssl/TrustExample.java.html
I hope this helps. Thanks for your help testing the proxy feature of my commons-ssl Ping utility! I'm glad to hear it works!
yours,
Julius
-----Original Message-----
From: sudip shrestha [mailto:sudipx@gmail.com]
Sent: Fri 5/5/2006 7:13 PM
To: Julius Davies
Cc:
Subject: Re: Fwd: SSLHandshakeException with apache+tomcat httpd server
It seemed to work ok.... I am sort of wondering how do I attach the
my.keystore file with the applet.
This was the output:
--------------------------------
HEAD / HTTP/1.1
Host: mydomain.com
Reading:
================================================================================
HTTP/1.1 302 Moved Temporarily
Date: Sat, 06 May 2006 02:05:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=87BD0090FE9C884140543A2F3662D0EE; Path=/; Secure
Location:
https://mydomain/actions/checkSession.do;jsessionid=87BD0090FE9C884140543A2F3662D0EE?method=checkSession
Content-Type: httpd/unix-directory
Server Certificate Chain for: [mydomain.com/ipaddx:443]
================================================================================
s.0: CN=mydomain.com, OU=InstantSSL, OU=IS, O=xxx, STREET=addr, STREET=xxx,
L=xx, ST=xx, OID.add=00000-1892, C=US
i.0: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
s.1: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
O=AddTrust AB, C=SE
i.1: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST
Network, L=Salt Lake City, ST=UT, C=US
-----BEGIN CERTIFICATE-----
MIIETzCCAzegAwIBAgIQHM5EYpUZep1jUvnyI6m2mDANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDUwNjA3MDgwOTEwWhcNMTkwNzA5MTgxOTIyWjBvMQswCQYD
VQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0
IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5h
bCBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/caM+by
AAQtOeBOW+0fvGwPzbX6I7bO3psRM5ekKUx9k5+9SryT7QMa44/P5W1QWtaXKZRa
gLBJetsulf24yr83OC0ePpFBrXBWx/BPP+gynnTKyJBU6cZfD3idmkA8Dqxhql4U
j56HoWpQ3NeaTq8Fs6ZxlJxxs1BgCscTnTgHhgKo6ahpJhiQq0ywTyOrOk+E2N/O
n+Fpb7vXQtdrROTHre5tQV9yWnEIN7N5ZaRZoJQ39wAvDcKSctrQOHLbFKhFxF0q
fbe01sTurM0TRLfJK91DACX6YblpalgjEbenM49WdVn1zSnXRrcKK2W200JvFbK4
e/vv6V1T1TRaJwIDAQABo4G9MIG6MB8GA1UdIwQYMBaAFKFyXyYbKJhDlV0HN9WF
lp1L0sNFMB0GA1UdDgQWBBStvZh6NLQm9/rEJlTvA73gJMtUGjAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAQIwRAYDVR0f
BD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmly
c3QtSGFyZHdhcmUuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQByQhANOs4kClrwF8BW
onvUOGCSjRK52zYZgDXYNjDtmr5rJ6NyPFDNn+JxkLpjYetIFMTbSRe679Bt8m7a
gIAoQYFQtxMuyLnJegB2aEbQiIxh/tC21UcFF7ktdnDoTlA6w3pLuvunaI84Of3o
2YBrhzkTbCfaYk5JRlTpudW9DkUkHBsyx3nknPKnplkIGaK0jgn8E0n+SFabYaHk
I9LroYT/+JtLefh9lgBdAgVv0UPbzoGfuDsrk/Zh+UrgbLFpHoVnElhzbkh64Z0X
OGaJunQc68cCZu5HTn/aK7fBGMcVflRCXLVEQpU9PIAdGA8Ynvg684t8GMaKsRl1
jIGZ
-----END CERTIFICATE-----
On 5/5/06, Julius Davies <ju...@cucbc.com> wrote:
>
> Hi, Sudip,
>
> Thanks for your interesting question! I added a "proxy" option to the
> "commons-ssl.jar" tool.
>
> I realize you've already progressed on your problem, but would you mind
> testing this option for me?
>
> Here's the lastest version:
>
> http://juliusdavies.ca/commons-ssl/
>
> In particular:
>
> http://juliusdavies.ca/commons-ssl/commons-ssl.jar
>
>
> Please try running:
>
> java -jar commons-ssl.jar -t [mydomain.com]:443 -r [myproxy.com]:80
>
> Does it work?
>
>
>
> yours,
>
> Julius
>
>
> ==============================================================================
> Usage: java -jar commons-ssl.jar [options]
> Options: (*=required)
> * -t --target [hostname[:port]] default port=443
> -b --bind [hostname[:port]] default port=0
> "ANY"
> -r --proxy [hostname[:port]] default port=80
> -c --client-cert [path to client certificate] *.jks or *.pfx
> -p --password [client cert password]
>
> Example:
>
> java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat
> ./pass.txt`
>
> ==============================================================================
>
>
> On Fri, 2006-05-05 at 15:38 -0500, sudip shrestha wrote:
> > I am not sure on how to deploy the my.keystore file with the
> applet? Thanks
> > for any suggestions.
> >
> > ---------- Forwarded message ----------
> > From: sudip shrestha <su...@gmail.com>
> > Date: May 5, 2006 2:08 PM
> > Subject: Re: SSLHandshakeException with apache+tomcat httpd server
> > To: Julius Davies <ju...@cucbc.com>
> >
> > Hi,
> > OK... This is what I did and fixed my problem:
> > 1. I first got my keystore from CA-cert:
> > keytool -import -trustcacerts -keystore my.keystore -file
> > mydomain.com.crt-alias mydomainkey
> > 2. Then added a line before creating new Protocol object with
> > StrictSSLProtocolSocketFactory:
> > ------------------
> > System.setProperty("javax.net.ssl.trustStore", "my.keystore");
> >
> > Protocol stricthttps = new Protocol( "https", new
> > StrictSSLProtocolSocketFactory(true), 443);
> > httpclient.getHostConfiguration().setHost("mydomain.com", 443,
> > stricthttps);
> >
> > httpclient.executeMethod( httpget );
> > System.out.println( new String( httpget.getResponseBody () ) );
> >
> > System.out.println( httpget.getStatusLine() );
> > ------------------
> > Then, I was able to get secure urls normally from mydomain.com. But now
> I
> > am wondering how do I put my.keystore file in the client machine, as
> these
> > urls will be accessed by an Applet.
> >
> >
> >
> > On 5/5/06, sudip shrestha < sudipx@gmail.com> wrote:
> > >
> > > Julius, Thanks for your replay. We have a proxy server to go thru...
> How
> > > do I define a proxy server/port in command line with java -jar
> > > commons-ssl.jar -t [ mydomain.com]:443?
> > >
> > > Because, right now, this is all I get:
> > > java.net.SocketTimeoutException: connect timed out
> > > at java.net.PlainSocketImpl.socketConnect(Native Method)
> > > at java.net.PlainSocketImpl.doConnect (Unknown Source)
> > > at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
> > > at java.net.PlainSocketImpl.connect(Unknown Source)
> > > at java.net.SocksSocketImpl.connect(Unknown Source)
> > > at java.net.Socket.connect(Unknown Source)
> > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown
> > > Source)
> > > at org.apache.commons.ssl.SSLClient.createSocket(
> SSLClient.java
> > > :189)
> > > at org.apache.commons.ssl.SSLClient.createSocket (
> SSLClient.java
> > > :157)
> > > at org.apache.commons.ssl.SSLClient.createSocket(
> SSLClient.java
> > > :149)
> > > at org.apache.commons.ssl.Ping.main(Ping.java:136)
> > >
> > >
> > > On 5/5/06, Julius Davies <ju...@cucbc.com> wrote:
> > > >
> > > > Hi, Sudip,
> > > >
> > > > I'm working on a tool to help diagnose these kinds of problems. Can
> you
> > > > try this tool and report back on the output?
> > > >
> > > > http://juliusdavies.ca/commons-ssl/
> > > >
> > > > In particular, download:
> > > >
> > > > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> > > >
> > > > And then run:
> > > >
> > > > java -jar commons-ssl.jar -t [ mydomain.com]:443
> > > >
> > > > (You'll have to replace mydomain.com with the server in particular
> that
> > > > you are using.)
> > > >
> > > > yours,
> > > >
> > > > Julius
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: sudip shrestha [mailto:sudipx@gmail.com]
> > > > Sent: Fri 5/5/2006 9:20 AM
> > > > To: httpclient-user@jakarta.apache.org
> > > > Cc:
> > > > Subject: SSLHandshakeException with apache+tomcat httpd
> server
> > > >
> > > > Hi,
> > > > I have apache httpd 2.0 server working with Tomcat 5.5.7 that server
> > > > dynamic
> > > > contents. Only HTTPS requests are allowed by this server. We have
> a
> > > > trusted certificate from a CA, comodo. I have written an applet that
> > > > needs
> > > > to talk to this server via ssl.
> > > > I have added the cert from the CA to the jdk keystore with: keytool
> > > > -import
> > > > -file mydomain.com.crt.
> > > >
> > > > So, when I use this piece of code below to make a connection I get
> an
> > > > Exception:
> > > >
> > > > javax.net.ssl.SSLHandshakeException:
> > > > sun.security.validator.ValidatorException: PKIX path buil
> > > > ding failed:
> sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid
> > > > certification path to requested target
> > > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException
> (Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > > Source)
> > > > at
> > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> > > > Source)
> > > > at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
> > > > (Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop
> (Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record
> (Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord
> (Unknown
> > > > Source)
> > > > at
> > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> > > > (Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord
> > > > (Unknown
> > > > Source)
> > > > at com.sun.net.ssl.internal.ssl.AppOutputStream.write
> (Unknown
> > > > Source)
> > > > at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
> > > > at java.io.BufferedOutputStream.flush(Unknown Source)
> > > > at
> > > >
> org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
> > > > (HttpConnectio
> > > > n.java:827)
> > > > at org.apache.commons.httpclient.HttpMethodBase.writeRequest(
> > > > HttpMethodBase.java:1975)
> > > >
> > > > at org.apache.commons.httpclient.HttpMethodBase.execute(
> > > > HttpMethodBase.java:993)
> > > > at
> > > > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
> > > > (HttpMethodDirecto
> > > > r.java:397)
> > > > at
> > > > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> > > > HttpMethodDirector.j
> > > > ava:170)
> > > > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > > HttpClient.java:396)
> > > > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > > HttpClient.java:324)
> > > > at main.main(main.java:54)
> > > > Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> > > > failed: sun.security .
> > > > provider.certpath.SunCertPathBuilderException: unable to find valid
> > > > certification path to requ
> > > > ested target
> > > > at sun.security.validator.PKIXValidator.doBuild(Unknown
> Source)
> > > > at sun.security.validator.PKIXValidator.engineValidate(Unknown
> > > > Source)
> > > > at sun.security.validator.Validator.validate(Unknown Source)
> > > > at
> > > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> > > > (Unknown
> > > > Source
> > > > )
> > > > at
> > > > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted
> (Unknown
> > > > Source
> > > > )
> > > > ... 18 more
> > > > Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid ce
> > > > rtification path to requested target
> > > > at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> > > > Source)
> > > > at java.security.cert.CertPathBuilder.build(Unknown Source)
> > > > ... 23 more
> > > > ----------------------------------------------------------------
> > > > Test Code:
> > > > ---------------
> > > > HttpClient httpclient = new HttpClient();
> > > > GetMethod httpget = new GetMethod("https://mydomain.com/");
> > > > try {
> > > >
> > > > * //Protocol easyhttps = new Protocol("https", new
> > > > EasySSLProtocolSocketFactory(), 443);
> > > > //Protocol.registerProtocol("https", easyhttps);*
> > > >
> > > > httpclient.executeMethod(httpget);
> > > >
> > > > System.out.println( httpget.getStatusLine() );
> > > >
> > > > } catch(Exception e) {
> > > > e.printStackTrace ();
> > > > } finally {
> > > > httpget.releaseConnection();
> > > > }
> > > > ----------------------------------------------------------------
> > > >
> > > > I have tried this with/without the *EasySSLProtocolSocketFactory and
> I
> > > > get
> > > > the same result. Searched through the archive but could not move
> > > > forward.
> > > >
> > > > In my case, all the SSL requests are handled by apache first, so is
> > > > there
> > > > something else that I have to do to make it work?... thanks....
> > > > *
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> --
> Julius Davies
> Senior Application Developer, Technology Services
> Credit Union Central of British Columbia
> http://www.cucbc.com/
> Tel: 604-730-6385
> Cel: 604-868-7571
> Fax: 604-737-5910
>
> 1441 Creekside Drive
> Vancouver, BC
> Canada
> V6J 4S7
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: Fwd: SSLHandshakeException with apache+tomcat httpd server
Posted by Julius Davies <ju...@cucbc.com>.
Hi, Sudip,
Thanks for your interesting question! I added a "proxy" option to the
"commons-ssl.jar" tool.
I realize you've already progressed on your problem, but would you mind
testing this option for me?
Here's the lastest version:
http://juliusdavies.ca/commons-ssl/
In particular:
http://juliusdavies.ca/commons-ssl/commons-ssl.jar
Please try running:
java -jar commons-ssl.jar -t [mydomain.com]:443 -r [myproxy.com]:80
Does it work?
yours,
Julius
==============================================================================
Usage: java -jar commons-ssl.jar [options]
Options: (*=required)
* -t --target [hostname[:port]] default port=443
-b --bind [hostname[:port]] default port=0 "ANY"
-r --proxy [hostname[:port]] default port=80
-c --client-cert [path to client certificate] *.jks or *.pfx
-p --password [client cert password]
Example:
java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat ./pass.txt`
==============================================================================
On Fri, 2006-05-05 at 15:38 -0500, sudip shrestha wrote:
> I am not sure on how to deploy the my.keystore file with the applet? Thanks
> for any suggestions.
>
> ---------- Forwarded message ----------
> From: sudip shrestha <su...@gmail.com>
> Date: May 5, 2006 2:08 PM
> Subject: Re: SSLHandshakeException with apache+tomcat httpd server
> To: Julius Davies <ju...@cucbc.com>
>
> Hi,
> OK... This is what I did and fixed my problem:
> 1. I first got my keystore from CA-cert:
> keytool -import -trustcacerts -keystore my.keystore -file
> mydomain.com.crt-alias mydomainkey
> 2. Then added a line before creating new Protocol object with
> StrictSSLProtocolSocketFactory:
> ------------------
> System.setProperty("javax.net.ssl.trustStore", "my.keystore");
>
> Protocol stricthttps = new Protocol( "https", new
> StrictSSLProtocolSocketFactory(true), 443);
> httpclient.getHostConfiguration().setHost("mydomain.com", 443,
> stricthttps);
>
> httpclient.executeMethod( httpget );
> System.out.println( new String( httpget.getResponseBody () ) );
>
> System.out.println( httpget.getStatusLine() );
> ------------------
> Then, I was able to get secure urls normally from mydomain.com. But now I
> am wondering how do I put my.keystore file in the client machine, as these
> urls will be accessed by an Applet.
>
>
>
> On 5/5/06, sudip shrestha < sudipx@gmail.com> wrote:
> >
> > Julius, Thanks for your replay. We have a proxy server to go thru... How
> > do I define a proxy server/port in command line with java -jar
> > commons-ssl.jar -t [ mydomain.com]:443?
> >
> > Because, right now, this is all I get:
> > java.net.SocketTimeoutException: connect timed out
> > at java.net.PlainSocketImpl.socketConnect(Native Method)
> > at java.net.PlainSocketImpl.doConnect (Unknown Source)
> > at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
> > at java.net.PlainSocketImpl.connect(Unknown Source)
> > at java.net.SocksSocketImpl.connect(Unknown Source)
> > at java.net.Socket.connect(Unknown Source)
> > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown
> > Source)
> > at org.apache.commons.ssl.SSLClient.createSocket(SSLClient.java
> > :189)
> > at org.apache.commons.ssl.SSLClient.createSocket (SSLClient.java
> > :157)
> > at org.apache.commons.ssl.SSLClient.createSocket(SSLClient.java
> > :149)
> > at org.apache.commons.ssl.Ping.main(Ping.java:136)
> >
> >
> > On 5/5/06, Julius Davies <ju...@cucbc.com> wrote:
> > >
> > > Hi, Sudip,
> > >
> > > I'm working on a tool to help diagnose these kinds of problems. Can you
> > > try this tool and report back on the output?
> > >
> > > http://juliusdavies.ca/commons-ssl/
> > >
> > > In particular, download:
> > >
> > > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> > >
> > > And then run:
> > >
> > > java -jar commons-ssl.jar -t [ mydomain.com]:443
> > >
> > > (You'll have to replace mydomain.com with the server in particular that
> > > you are using.)
> > >
> > > yours,
> > >
> > > Julius
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: sudip shrestha [mailto:sudipx@gmail.com]
> > > Sent: Fri 5/5/2006 9:20 AM
> > > To: httpclient-user@jakarta.apache.org
> > > Cc:
> > > Subject: SSLHandshakeException with apache+tomcat httpd server
> > >
> > > Hi,
> > > I have apache httpd 2.0 server working with Tomcat 5.5.7 that server
> > > dynamic
> > > contents. Only HTTPS requests are allowed by this server. We have a
> > > trusted certificate from a CA, comodo. I have written an applet that
> > > needs
> > > to talk to this server via ssl.
> > > I have added the cert from the CA to the jdk keystore with: keytool
> > > -import
> > > -file mydomain.com.crt.
> > >
> > > So, when I use this piece of code below to make a connection I get an
> > > Exception:
> > >
> > > javax.net.ssl.SSLHandshakeException:
> > > sun.security.validator.ValidatorException: PKIX path buil
> > > ding failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > > unable to find valid
> > > certification path to requested target
> > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > Source)
> > > at
> > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
> > > (Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> > > Source)
> > > at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> > > (Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord
> > > (Unknown
> > > Source)
> > > at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown
> > > Source)
> > > at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
> > > at java.io.BufferedOutputStream.flush(Unknown Source)
> > > at
> > > org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
> > > (HttpConnectio
> > > n.java:827)
> > > at org.apache.commons.httpclient.HttpMethodBase.writeRequest (
> > > HttpMethodBase.java:1975)
> > >
> > > at org.apache.commons.httpclient.HttpMethodBase.execute(
> > > HttpMethodBase.java:993)
> > > at
> > > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
> > > (HttpMethodDirecto
> > > r.java:397)
> > > at
> > > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> > > HttpMethodDirector.j
> > > ava:170)
> > > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > HttpClient.java:396)
> > > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > HttpClient.java:324)
> > > at main.main(main.java:54)
> > > Caused by: sun.security.validator.ValidatorException: PKIX path building
> > > failed: sun.security .
> > > provider.certpath.SunCertPathBuilderException: unable to find valid
> > > certification path to requ
> > > ested target
> > > at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> > > at sun.security.validator.PKIXValidator.engineValidate (Unknown
> > > Source)
> > > at sun.security.validator.Validator.validate(Unknown Source)
> > > at
> > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> > > (Unknown
> > > Source
> > > )
> > > at
> > > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> > > Source
> > > )
> > > ... 18 more
> > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > > unable to find valid ce
> > > rtification path to requested target
> > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> > > Source)
> > > at java.security.cert.CertPathBuilder.build(Unknown Source)
> > > ... 23 more
> > > ----------------------------------------------------------------
> > > Test Code:
> > > ---------------
> > > HttpClient httpclient = new HttpClient();
> > > GetMethod httpget = new GetMethod("https://mydomain.com/");
> > > try {
> > >
> > > * //Protocol easyhttps = new Protocol("https", new
> > > EasySSLProtocolSocketFactory(), 443);
> > > //Protocol.registerProtocol("https", easyhttps);*
> > >
> > > httpclient.executeMethod(httpget);
> > >
> > > System.out.println( httpget.getStatusLine() );
> > >
> > > } catch(Exception e) {
> > > e.printStackTrace ();
> > > } finally {
> > > httpget.releaseConnection();
> > > }
> > > ----------------------------------------------------------------
> > >
> > > I have tried this with/without the *EasySSLProtocolSocketFactory and I
> > > get
> > > the same result. Searched through the archive but could not move
> > > forward.
> > >
> > > In my case, all the SSL requests are handled by apache first, so is
> > > there
> > > something else that I have to do to make it work?... thanks....
> > > *
> > >
> > >
> > >
> > >
> > >
> >
--
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 604-730-6385
Cel: 604-868-7571
Fax: 604-737-5910
1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Fwd: SSLHandshakeException with apache+tomcat httpd server
Posted by sudip shrestha <su...@gmail.com>.
I am not sure on how to deploy the my.keystore file with the applet? Thanks
for any suggestions.
---------- Forwarded message ----------
From: sudip shrestha <su...@gmail.com>
Date: May 5, 2006 2:08 PM
Subject: Re: SSLHandshakeException with apache+tomcat httpd server
To: Julius Davies <ju...@cucbc.com>
Hi,
OK... This is what I did and fixed my problem:
1. I first got my keystore from CA-cert:
keytool -import -trustcacerts -keystore my.keystore -file
mydomain.com.crt-alias mydomainkey
2. Then added a line before creating new Protocol object with
StrictSSLProtocolSocketFactory:
------------------
System.setProperty("javax.net.ssl.trustStore", "my.keystore");
Protocol stricthttps = new Protocol( "https", new
StrictSSLProtocolSocketFactory(true), 443);
httpclient.getHostConfiguration().setHost("mydomain.com", 443,
stricthttps);
httpclient.executeMethod( httpget );
System.out.println( new String( httpget.getResponseBody () ) );
System.out.println( httpget.getStatusLine() );
------------------
Then, I was able to get secure urls normally from mydomain.com. But now I
am wondering how do I put my.keystore file in the client machine, as these
urls will be accessed by an Applet.
On 5/5/06, sudip shrestha < sudipx@gmail.com> wrote:
>
> Julius, Thanks for your replay. We have a proxy server to go thru... How
> do I define a proxy server/port in command line with java -jar
> commons-ssl.jar -t [ mydomain.com]:443?
>
> Because, right now, this is all I get:
> java.net.SocketTimeoutException: connect timed out
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at java.net.PlainSocketImpl.doConnect (Unknown Source)
> at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
> at java.net.PlainSocketImpl.connect(Unknown Source)
> at java.net.SocksSocketImpl.connect(Unknown Source)
> at java.net.Socket.connect(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown
> Source)
> at org.apache.commons.ssl.SSLClient.createSocket(SSLClient.java
> :189)
> at org.apache.commons.ssl.SSLClient.createSocket (SSLClient.java
> :157)
> at org.apache.commons.ssl.SSLClient.createSocket(SSLClient.java
> :149)
> at org.apache.commons.ssl.Ping.main(Ping.java:136)
>
>
> On 5/5/06, Julius Davies <ju...@cucbc.com> wrote:
> >
> > Hi, Sudip,
> >
> > I'm working on a tool to help diagnose these kinds of problems. Can you
> > try this tool and report back on the output?
> >
> > http://juliusdavies.ca/commons-ssl/
> >
> > In particular, download:
> >
> > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> >
> > And then run:
> >
> > java -jar commons-ssl.jar -t [ mydomain.com]:443
> >
> > (You'll have to replace mydomain.com with the server in particular that
> > you are using.)
> >
> > yours,
> >
> > Julius
> >
> >
> >
> > -----Original Message-----
> > From: sudip shrestha [mailto:sudipx@gmail.com]
> > Sent: Fri 5/5/2006 9:20 AM
> > To: httpclient-user@jakarta.apache.org
> > Cc:
> > Subject: SSLHandshakeException with apache+tomcat httpd server
> >
> > Hi,
> > I have apache httpd 2.0 server working with Tomcat 5.5.7 that server
> > dynamic
> > contents. Only HTTPS requests are allowed by this server. We have a
> > trusted certificate from a CA, comodo. I have written an applet that
> > needs
> > to talk to this server via ssl.
> > I have added the cert from the CA to the jdk keystore with: keytool
> > -import
> > -file mydomain.com.crt.
> >
> > So, when I use this piece of code below to make a connection I get an
> > Exception:
> >
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path buil
> > ding failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid
> > certification path to requested target
> > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > Source)
> > at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
> > (Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> > Source)
> > at
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> > (Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord
> > (Unknown
> > Source)
> > at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown
> > Source)
> > at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
> > at java.io.BufferedOutputStream.flush(Unknown Source)
> > at
> > org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
> > (HttpConnectio
> > n.java:827)
> > at org.apache.commons.httpclient.HttpMethodBase.writeRequest (
> > HttpMethodBase.java:1975)
> >
> > at org.apache.commons.httpclient.HttpMethodBase.execute(
> > HttpMethodBase.java:993)
> > at
> > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
> > (HttpMethodDirecto
> > r.java:397)
> > at
> > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> > HttpMethodDirector.j
> > ava:170)
> > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > HttpClient.java:396)
> > at org.apache.commons.httpclient.HttpClient.executeMethod(
> > HttpClient.java:324)
> > at main.main(main.java:54)
> > Caused by: sun.security.validator.ValidatorException: PKIX path building
> > failed: sun.security .
> > provider.certpath.SunCertPathBuilderException: unable to find valid
> > certification path to requ
> > ested target
> > at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> > at sun.security.validator.PKIXValidator.engineValidate (Unknown
> > Source)
> > at sun.security.validator.Validator.validate(Unknown Source)
> > at
> > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> > (Unknown
> > Source
> > )
> > at
> > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> > Source
> > )
> > ... 18 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid ce
> > rtification path to requested target
> > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> > Source)
> > at java.security.cert.CertPathBuilder.build(Unknown Source)
> > ... 23 more
> > ----------------------------------------------------------------
> > Test Code:
> > ---------------
> > HttpClient httpclient = new HttpClient();
> > GetMethod httpget = new GetMethod("https://mydomain.com/");
> > try {
> >
> > * //Protocol easyhttps = new Protocol("https", new
> > EasySSLProtocolSocketFactory(), 443);
> > //Protocol.registerProtocol("https", easyhttps);*
> >
> > httpclient.executeMethod(httpget);
> >
> > System.out.println( httpget.getStatusLine() );
> >
> > } catch(Exception e) {
> > e.printStackTrace ();
> > } finally {
> > httpget.releaseConnection();
> > }
> > ----------------------------------------------------------------
> >
> > I have tried this with/without the *EasySSLProtocolSocketFactory and I
> > get
> > the same result. Searched through the archive but could not move
> > forward.
> >
> > In my case, all the SSL requests are handled by apache first, so is
> > there
> > something else that I have to do to make it work?... thanks....
> > *
> >
> >
> >
> >
> >
>
RE: SSLHandshakeException with apache+tomcat httpd server
Posted by Julius Davies <ju...@cucbc.com>.
Hi, Sudip,
I'm working on a tool to help diagnose these kinds of problems. Can you try this tool and report back on the output?
http://juliusdavies.ca/commons-ssl/
In particular, download:
http://juliusdavies.ca/commons-ssl/commons-ssl.jar
And then run:
java -jar commons-ssl.jar -t [mydomain.com]:443
(You'll have to replace mydomain.com with the server in particular that you are using.)
yours,
Julius
-----Original Message-----
From: sudip shrestha [mailto:sudipx@gmail.com]
Sent: Fri 5/5/2006 9:20 AM
To: httpclient-user@jakarta.apache.org
Cc:
Subject: SSLHandshakeException with apache+tomcat httpd server
Hi,
I have apache httpd 2.0 server working with Tomcat 5.5.7 that server dynamic
contents. Only HTTPS requests are allowed by this server. We have a
trusted certificate from a CA, comodo. I have written an applet that needs
to talk to this server via ssl.
I have added the cert from the CA to the jdk keystore with: keytool -import
-file mydomain.com.crt.
So, when I use this piece of code below to make a connection I get an
Exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path buil
ding failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid
certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown
Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown
Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at
org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
(HttpConnectio
n.java:827)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(
HttpMethodBase.java:1975)
at org.apache.commons.httpclient.HttpMethodBase.execute(
HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
(HttpMethodDirecto
r.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
HttpMethodDirector.j
ava:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:324)
at main.main(main.java:54)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requ
ested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source
)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source
)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid ce
rtification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 23 more
----------------------------------------------------------------
Test Code:
---------------
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod("https://mydomain.com/");
try {
* //Protocol easyhttps = new Protocol("https", new
EasySSLProtocolSocketFactory(), 443);
//Protocol.registerProtocol("https", easyhttps);*
httpclient.executeMethod(httpget);
System.out.println( httpget.getStatusLine() );
} catch(Exception e) {
e.printStackTrace();
} finally {
httpget.releaseConnection();
}
----------------------------------------------------------------
I have tried this with/without the *EasySSLProtocolSocketFactory and I get
the same result. Searched through the archive but could not move forward.
In my case, all the SSL requests are handled by apache first, so is there
something else that I have to do to make it work?... thanks....
*
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org