You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jihwan Kim <ji...@gmail.com> on 2006/02/22 22:00:18 UTC

Detect expired server certificate

Hi,
I have this in my server.xml
    <Connector port="443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
     keystoreFile="c:/j2sdk1.4.2_09/jre/lib/security/cacerts"
keystorePass="XXXX" />

cacerts is a self signed certificate.

Whewn the certificate is expired, I would like to detect it and send a
proper message to a client side user.
So, 1. how can I detect the expired cert from a Java application client.
      2. Can I detect the expired cert during the Tomcat startup?

Thank you.

Re: Detect expired server certificate

Posted by Jihwan Kim <ji...@gmail.com>.

BTW, we use the Apache Axis to make a connection between our client and
server.

On 2/23/06, Jihwan Kim <ji...@gmail.com> wrote:
>
> Thanks Bill,
>
> 1.  My client doesn't throw an exception if the client and server's cert
> is identical and both are expired. If only one of them is expired, it thorws
> exception. I want to detect the expired situation even if both side are
> expired.
>
> 2.  WebLogic detects expired cert. So, it means JSSE doesn't do this but
> does WebLogic have its own code to detect this?
>
> Thanks,
>
>
> On 2/22/06, Bill Barker <wb...@wilshire.com> wrote:
> >
> >
> > "Jihwan Kim" <ji...@gmail.com> wrote in message
> > news:a5a7f2cc0602221300w6f53d7c0u97f8ae86183630a4@mail.gmail.com...
> > >Hi,
> > >I have this in my server.xml
> > >    <Connector port="443"
> > >               maxThreads="150" minSpareThreads="25"
> > maxSpareThreads="75"
> > >               enableLookups="false" disableUploadTimeout="true"
> > >               acceptCount="100" debug="0" scheme="https" secure="true"
> > >               clientAuth="true" sslProtocol="TLS"
> > >     keystoreFile="c:/j2sdk1.4.2_09/jre/lib/security/cacerts"
> > >keystorePass="XXXX" />
> > >
> > >cacerts is a self signed certificate.
> > >
> > >Whewn the certificate is expired, I would like to detect it and send a
> > >proper message to a client side user.
> >
> > This happens deep within JSSE, before normally any of your or Tomcat's
> > code
> > gets a chance to do anything.
> >
> > >So, 1. how can I detect the expired cert from a Java application
> > client.
> >
> > Unless you configure your own TrustManager, the client will throw an
> > exception when you try to connect.
> >
> > >      2. Can I detect the expired cert during the Tomcat startup?
> >
> > Strangely, JSSE doesn't do this.  Of course, there is nothing stopping
> > your
> > app from reading the cert from the KeyStore and checking yourself ;-).
> >
> > >
> > >Thank you.
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>

Re: Detect expired server certificate

Posted by Bill Barker <wb...@wilshire.com>.

"Jihwan Kim" <ji...@gmail.com> wrote in message 
news:a5a7f2cc0602230736wcc3f699l56441992d7f2bff3@mail.gmail.com...
>Thanks Bill,
>
>1.  My client doesn't throw an exception if the client and server's cert is
>identical and both are expired. If only one of them is expired, it thorws
>exception. I want to detect the expired situation even if both side are
>expired.
>

Well, you could call HttpsURLConnection.getServerCertificates() and check 
:).  But if your connection is being masked by Axis, this probably won't 
work.

>2.  WebLogic detects expired cert. So, it means JSSE doesn't do this but
>does WebLogic have its own code to detect this?
>

Probably.  It's not too bad of an idea, actually (and not too hard to do :). 
When I can find where I put my spare cycles, I might even add it to Tomcat 
:).

>Thanks,




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Detect expired server certificate

Posted by Jihwan Kim <ji...@gmail.com>.

Thanks Bill,

1.  My client doesn't throw an exception if the client and server's cert is
identical and both are expired. If only one of them is expired, it thorws
exception. I want to detect the expired situation even if both side are
expired.

2.  WebLogic detects expired cert. So, it means JSSE doesn't do this but
does WebLogic have its own code to detect this?

Thanks,


On 2/22/06, Bill Barker <wb...@wilshire.com> wrote:
>
>
> "Jihwan Kim" <ji...@gmail.com> wrote in message
> news:a5a7f2cc0602221300w6f53d7c0u97f8ae86183630a4@mail.gmail.com...
> >Hi,
> >I have this in my server.xml
> >    <Connector port="443"
> >               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> >               enableLookups="false" disableUploadTimeout="true"
> >               acceptCount="100" debug="0" scheme="https" secure="true"
> >               clientAuth="true" sslProtocol="TLS"
> >     keystoreFile="c:/j2sdk1.4.2_09/jre/lib/security/cacerts"
> >keystorePass="XXXX" />
> >
> >cacerts is a self signed certificate.
> >
> >Whewn the certificate is expired, I would like to detect it and send a
> >proper message to a client side user.
>
> This happens deep within JSSE, before normally any of your or Tomcat's
> code
> gets a chance to do anything.
>
> >So, 1. how can I detect the expired cert from a Java application client.
>
> Unless you configure your own TrustManager, the client will throw an
> exception when you try to connect.
>
> >      2. Can I detect the expired cert during the Tomcat startup?
>
> Strangely, JSSE doesn't do this.  Of course, there is nothing stopping
> your
> app from reading the cert from the KeyStore and checking yourself ;-).
>
> >
> >Thank you.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Detect expired server certificate

Posted by Bill Barker <wb...@wilshire.com>.

"Jihwan Kim" <ji...@gmail.com> wrote in message 
news:a5a7f2cc0602221300w6f53d7c0u97f8ae86183630a4@mail.gmail.com...
>Hi,
>I have this in my server.xml
>    <Connector port="443"
>               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>               enableLookups="false" disableUploadTimeout="true"
>               acceptCount="100" debug="0" scheme="https" secure="true"
>               clientAuth="true" sslProtocol="TLS"
>     keystoreFile="c:/j2sdk1.4.2_09/jre/lib/security/cacerts"
>keystorePass="XXXX" />
>
>cacerts is a self signed certificate.
>
>Whewn the certificate is expired, I would like to detect it and send a
>proper message to a client side user.

This happens deep within JSSE, before normally any of your or Tomcat's code 
gets a chance to do anything.

>So, 1. how can I detect the expired cert from a Java application client.

Unless you configure your own TrustManager, the client will throw an 
exception when you try to connect.

>      2. Can I detect the expired cert during the Tomcat startup?

Strangely, JSSE doesn't do this.  Of course, there is nothing stopping your 
app from reading the cert from the KeyStore and checking yourself ;-).

>
>Thank you.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org