javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:

[Betül AKIN <be...@ibb.gov.tr>]

Hi,

I am connecting to an Https site using Httpclient. It was working fine until today when it started throwing the exception 

 

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Jan 09 11:03:00 CET 2007

 

in line

 

statusCode = client.executeMethod(authpost);

 

I was using the following lines

 

      Protocol myhttps = new Protocol("https", new EasySSLProtocolSocketFactory(), Sabitler.KIK_LOGON_PORT);                        

      HttpClient client = new HttpClient();

      client.getHostConfiguration().setHost(LOGON_SITE, LOGON_PORT, myhttps);

 

to connect. I googled the problem and came across  someone who had the same problem(http://www.codeguru.com/forum/archive/index.php/t-322145.html). The solution suggested was changing the EasySSLProtocolSocketFactory in the following way:

 

SSLContext context = SSLContext.getInstance("SSL");

context.init(
null, 
new TrustManager[] {(TrustManager)new EasyX509TrustManager(null)}, 
new SecureRandom() );

it also said:


"also its important to keep javax.net.ssl apart from com.sun.net.ssl."

 

I tried it but it doesn't work for me. Can you suggest anything else? Also what does he mean by "also its important to keep javax.net.ssl apart from com.sun.net.ssl.".

 

Thanks in advance;

 

Betul



 

 

**********************************************************************
Bu posta ve ekli dosyaları bilinen tüm viruslere karşı taranmıştır. Viruslere karşı tedbir olarak tanımadığınız kişi ve kuruluşlardan gelen postaları ve bilmediğiniz ekli dosyaları açmayınız.

This mail and its attachments have been scanned against all of the known viruses. As a precaution to viruses and other malicious codes, please do not open the mails and attached files coming from the people or entities that you are not sure to know.

RE: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:

[Betül AKIN <be...@ibb.gov.tr>]

Thanks your sample code did the trick.

-----Original Message-----
From: Julius Davies [mailto:juliusdavies@gmail.com] 
Sent: Friday, February 09, 2007 4:50 PM
To: HttpClient User Discussion
Subject: Re: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:

Whoops, some misinformation in my last post.  Sorry about that.

EasyX509TrustManager.java checks Certificate expiry!  This line:

certificates[0].checkValidity();

http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?revision=480424&view=markup

Looks like you want to stick to "Easy".  In that case modify the code
example I provided to include these additional security downgrades:

========================================
HttpSecureProtocol f = new HttpSecureProtocol();
f.setCheckExpiry( false );
f.setCheckCRL( false );
f.setCheckHostname( false );
f.setTrustMaterial( TrustMaterial.TRUST_ALL );

// To avoid deprecation warnings:
ProtocolSocketFactory psf = f;
Protocol trustHttps = new Protocol("https-insecure", psf, 443);
Protocol.registerProtocol("https-insecure", trustHttps);

HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https-insecure://mydomain.com/");
client.executeMethod(httpget);
String s = httpget.getStatusLine().toString();
System.out.println( "HTTPClient: " + s );
========================================

yours,

Julius


On 2/9/07, Julius Davies <ju...@gmail.com> wrote:
> Hi, Betul,
>
> Have you read the HttpClient SSL Guide?
> http://jakarta.apache.org/commons/httpclient/sslguide.html
>
> You should try to avoid EasySSLProtocolSocketFactory.  It makes the
> security of "https" useless.  Using EasySSLProtocolSocketFactory is
> like clicking on all of the following browser popups:
>
> "The certificate for the https site is expired.  Do you still want to
> continue?"
>
> "The certificate for the https site is not signed by a trusted
> authority.  Do you still want to continue?"
>
> "The hostname specified does not match the hostname in the certificate.
> Do you still want to continue?"
>
>
> If you have any control or influence over the server's certificate you
> should try to get a new certificate.
>
> If not, this is probably the least insecure workaround, since the only
> "warning popup" it is "clicking" is the expired certificate warning,
> as opposed to all three!  (Nonetheless, this is still NOT RECOMMENDED.
>  Buying a new certificate is the best way to go.)
>
> #1.  Download not-yet-commons-ssl.jar from here:
> http://juliusdavies.ca/commons-ssl/download.html
>
> #2.  Code your use of HttpClient like so:
>
> ======================================
> import org.apache.commons.ssl.HttpSecureProtocol;
>
> HttpSecureProtocol f = new HttpSecureProtocol();
> // We're okay with expired certificates.
> f.setCheckExpiry( false );
>
> // To avoid deprecation warnings:
> ProtocolSocketFactory psf = f;
> Protocol trustHttps = new Protocol("https-expired", psf, 443);
> Protocol.registerProtocol("https-expired", trustHttps);
>
> HttpClient client = new HttpClient();
> GetMethod httpget = new GetMethod("https-expired://mydomain.com/");
> client.executeMethod(httpget);
> String s = httpget.getStatusLine().toString();
> System.out.println( "HTTPClient: " + s );
> ======================================
> Notice that only URL's of the form "https-expired://" will allow
> expired certificates after this code has executed.  Regular "https://"
> URL's still get full security.
>
> Another option is to use Sun Java 1.3 with the JSSE extension.  That
> combination doesn't bother checking certificate expiry!
>
>
> yours,
>
> Julius
>
>
>
>
> On 2/9/07, Betül AKIN <be...@ibb.gov.tr> wrote:
> > Hi,
> >
> > I am connecting to an Https site using Httpclient. It was working fine until today when it started throwing the exception
> >
> >
> >
> > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Jan 09 11:03:00 CET 2007
> >
> >
> >
> > in line
> >
> >
> >
> > statusCode = client.executeMethod(authpost);
> >
> >
> >
> > I was using the following lines
> >
> >
> >
> >       Protocol myhttps = new Protocol("https", new EasySSLProtocolSocketFactory(), Sabitler.KIK_LOGON_PORT);
> >
> >       HttpClient client = new HttpClient();
> >
> >       client.getHostConfiguration().setHost(LOGON_SITE, LOGON_PORT, myhttps);
> >
> >
> >
> > to connect. I googled the problem and came across  someone who had the same problem(http://www.codeguru.com/forum/archive/index.php/t-322145.html). The solution suggested was changing the EasySSLProtocolSocketFactory in the following way:
> >
> >
> >
> > SSLContext context = SSLContext.getInstance("SSL");
> >
> > context.init(
> > null,
> > new TrustManager[] {(TrustManager)new EasyX509TrustManager(null)},
> > new SecureRandom() );
> >
> > it also said:
> >
> >
> > "also its important to keep javax.net.ssl apart from com.sun.net.ssl."
> >
> >
> >
> > I tried it but it doesn't work for me. Can you suggest anything else? Also what does he mean by "also its important to keep javax.net.ssl apart from com.sun.net.ssl.".
> >
> >
> >
> > Thanks in advance;
> >
> >
> >
> > Betul
> >
> >
> >
> >
> >
> >
> >
> > **********************************************************************
> > Bu posta ve ekli dosyaları bilinen tüm viruslere karşı taranmıştır. Viruslere karşı tedbir olarak tanımadığınız kişi ve kuruluşlardan gelen postaları ve bilmediğiniz ekli dosyaları açmayınız.
> >
> > This mail and its attachments have been scanned against all of the known viruses. As a precaution to viruses and other malicious codes, please do not open the mails and attached files coming from the people or entities that you are not sure to know.
>
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/


**********************************************************************
Bu posta ve ekli dosyalar bilinen tüm viruslere kar taranmtr. Viruslere kar tedbir olarak tanmadnz kii ve kurululardan gelen postalar ve bilmediiniz ekli dosyalar açmaynz.

This mail and its attachments have been scanned against all of the known viruses. As a precaution to viruses and other malicious codes, please do not open the mails and attached files coming from the people or entities that you are not sure to know.

Re: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:

[Julius Davies <ju...@gmail.com>]

Whoops, some misinformation in my last post.  Sorry about that.

EasyX509TrustManager.java checks Certificate expiry!  This line:

certificates[0].checkValidity();

http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?revision=480424&view=markup

Looks like you want to stick to "Easy".  In that case modify the code
example I provided to include these additional security downgrades:

========================================
HttpSecureProtocol f = new HttpSecureProtocol();
f.setCheckExpiry( false );
f.setCheckCRL( false );
f.setCheckHostname( false );
f.setTrustMaterial( TrustMaterial.TRUST_ALL );

// To avoid deprecation warnings:
ProtocolSocketFactory psf = f;
Protocol trustHttps = new Protocol("https-insecure", psf, 443);
Protocol.registerProtocol("https-insecure", trustHttps);

HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https-insecure://mydomain.com/");
client.executeMethod(httpget);
String s = httpget.getStatusLine().toString();
System.out.println( "HTTPClient: " + s );
========================================

yours,

Julius


On 2/9/07, Julius Davies <ju...@gmail.com> wrote:
> Hi, Betul,
>
> Have you read the HttpClient SSL Guide?
> http://jakarta.apache.org/commons/httpclient/sslguide.html
>
> You should try to avoid EasySSLProtocolSocketFactory.  It makes the
> security of "https" useless.  Using EasySSLProtocolSocketFactory is
> like clicking on all of the following browser popups:
>
> "The certificate for the https site is expired.  Do you still want to
> continue?"
>
> "The certificate for the https site is not signed by a trusted
> authority.  Do you still want to continue?"
>
> "The hostname specified does not match the hostname in the certificate.
> Do you still want to continue?"
>
>
> If you have any control or influence over the server's certificate you
> should try to get a new certificate.
>
> If not, this is probably the least insecure workaround, since the only
> "warning popup" it is "clicking" is the expired certificate warning,
> as opposed to all three!  (Nonetheless, this is still NOT RECOMMENDED.
>  Buying a new certificate is the best way to go.)
>
> #1.  Download not-yet-commons-ssl.jar from here:
> http://juliusdavies.ca/commons-ssl/download.html
>
> #2.  Code your use of HttpClient like so:
>
> ======================================
> import org.apache.commons.ssl.HttpSecureProtocol;
>
> HttpSecureProtocol f = new HttpSecureProtocol();
> // We're okay with expired certificates.
> f.setCheckExpiry( false );
>
> // To avoid deprecation warnings:
> ProtocolSocketFactory psf = f;
> Protocol trustHttps = new Protocol("https-expired", psf, 443);
> Protocol.registerProtocol("https-expired", trustHttps);
>
> HttpClient client = new HttpClient();
> GetMethod httpget = new GetMethod("https-expired://mydomain.com/");
> client.executeMethod(httpget);
> String s = httpget.getStatusLine().toString();
> System.out.println( "HTTPClient: " + s );
> ======================================
> Notice that only URL's of the form "https-expired://" will allow
> expired certificates after this code has executed.  Regular "https://"
> URL's still get full security.
>
> Another option is to use Sun Java 1.3 with the JSSE extension.  That
> combination doesn't bother checking certificate expiry!
>
>
> yours,
>
> Julius
>
>
>
>
> On 2/9/07, Betül AKIN <be...@ibb.gov.tr> wrote:
> > Hi,
> >
> > I am connecting to an Https site using Httpclient. It was working fine until today when it started throwing the exception
> >
> >
> >
> > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Jan 09 11:03:00 CET 2007
> >
> >
> >
> > in line
> >
> >
> >
> > statusCode = client.executeMethod(authpost);
> >
> >
> >
> > I was using the following lines
> >
> >
> >
> >       Protocol myhttps = new Protocol("https", new EasySSLProtocolSocketFactory(), Sabitler.KIK_LOGON_PORT);
> >
> >       HttpClient client = new HttpClient();
> >
> >       client.getHostConfiguration().setHost(LOGON_SITE, LOGON_PORT, myhttps);
> >
> >
> >
> > to connect. I googled the problem and came across  someone who had the same problem(http://www.codeguru.com/forum/archive/index.php/t-322145.html). The solution suggested was changing the EasySSLProtocolSocketFactory in the following way:
> >
> >
> >
> > SSLContext context = SSLContext.getInstance("SSL");
> >
> > context.init(
> > null,
> > new TrustManager[] {(TrustManager)new EasyX509TrustManager(null)},
> > new SecureRandom() );
> >
> > it also said:
> >
> >
> > "also its important to keep javax.net.ssl apart from com.sun.net.ssl."
> >
> >
> >
> > I tried it but it doesn't work for me. Can you suggest anything else? Also what does he mean by "also its important to keep javax.net.ssl apart from com.sun.net.ssl.".
> >
> >
> >
> > Thanks in advance;
> >
> >
> >
> > Betul
> >
> >
> >
> >
> >
> >
> >
> > **********************************************************************
> > Bu posta ve ekli dosyaları bilinen tüm viruslere karşı taranmıştır. Viruslere karşı tedbir olarak tanımadığınız kişi ve kuruluşlardan gelen postaları ve bilmediğiniz ekli dosyaları açmayınız.
> >
> > This mail and its attachments have been scanned against all of the known viruses. As a precaution to viruses and other malicious codes, please do not open the mails and attached files coming from the people or entities that you are not sure to know.
>
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

Re: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:

[Julius Davies <ju...@gmail.com>]

Hi, Betul,

Have you read the HttpClient SSL Guide?
http://jakarta.apache.org/commons/httpclient/sslguide.html

You should try to avoid EasySSLProtocolSocketFactory.  It makes the
security of "https" useless.  Using EasySSLProtocolSocketFactory is
like clicking on all of the following browser popups:

"The certificate for the https site is expired.  Do you still want to
continue?"

"The certificate for the https site is not signed by a trusted
authority.  Do you still want to continue?"

"The hostname specified does not match the hostname in the certificate.
Do you still want to continue?"


If you have any control or influence over the server's certificate you
should try to get a new certificate.

If not, this is probably the least insecure workaround, since the only
"warning popup" it is "clicking" is the expired certificate warning,
as opposed to all three!  (Nonetheless, this is still NOT RECOMMENDED.
 Buying a new certificate is the best way to go.)

#1.  Download not-yet-commons-ssl.jar from here:
http://juliusdavies.ca/commons-ssl/download.html

#2.  Code your use of HttpClient like so:

======================================
import org.apache.commons.ssl.HttpSecureProtocol;

HttpSecureProtocol f = new HttpSecureProtocol();
// We're okay with expired certificates.
f.setCheckExpiry( false );

// To avoid deprecation warnings:
ProtocolSocketFactory psf = f;
Protocol trustHttps = new Protocol("https-expired", psf, 443);
Protocol.registerProtocol("https-expired", trustHttps);

HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https-expired://mydomain.com/");
client.executeMethod(httpget);
String s = httpget.getStatusLine().toString();
System.out.println( "HTTPClient: " + s );
======================================
Notice that only URL's of the form "https-expired://" will allow
expired certificates after this code has executed.  Regular "https://"
URL's still get full security.

Another option is to use Sun Java 1.3 with the JSSE extension.  That
combination doesn't bother checking certificate expiry!


yours,

Julius




On 2/9/07, Betül AKIN <be...@ibb.gov.tr> wrote:
> Hi,
>
> I am connecting to an Https site using Httpclient. It was working fine until today when it started throwing the exception
>
>
>
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Jan 09 11:03:00 CET 2007
>
>
>
> in line
>
>
>
> statusCode = client.executeMethod(authpost);
>
>
>
> I was using the following lines
>
>
>
>       Protocol myhttps = new Protocol("https", new EasySSLProtocolSocketFactory(), Sabitler.KIK_LOGON_PORT);
>
>       HttpClient client = new HttpClient();
>
>       client.getHostConfiguration().setHost(LOGON_SITE, LOGON_PORT, myhttps);
>
>
>
> to connect. I googled the problem and came across  someone who had the same problem(http://www.codeguru.com/forum/archive/index.php/t-322145.html). The solution suggested was changing the EasySSLProtocolSocketFactory in the following way:
>
>
>
> SSLContext context = SSLContext.getInstance("SSL");
>
> context.init(
> null,
> new TrustManager[] {(TrustManager)new EasyX509TrustManager(null)},
> new SecureRandom() );
>
> it also said:
>
>
> "also its important to keep javax.net.ssl apart from com.sun.net.ssl."
>
>
>
> I tried it but it doesn't work for me. Can you suggest anything else? Also what does he mean by "also its important to keep javax.net.ssl apart from com.sun.net.ssl.".
>
>
>
> Thanks in advance;
>
>
>
> Betul
>
>
>
>
>
>
>
> **********************************************************************
> Bu posta ve ekli dosyaları bilinen tüm viruslere karşı taranmıştır. Viruslere karşı tedbir olarak tanımadığınız kişi ve kuruluşlardan gelen postaları ve bilmediğiniz ekli dosyaları açmayınız.
>
> This mail and its attachments have been scanned against all of the known viruses. As a precaution to viruses and other malicious codes, please do not open the mails and attached files coming from the people or entities that you are not sure to know.


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

Re: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:

[Roland Weber <RO...@de.ibm.com>]

Hello Betül,

> I am connecting to an Https site using Httpclient. It was working 
> fine until today when it started throwing the exception 
> 
> javax.net.ssl.SSLHandshakeException: java.security.cert.
> CertificateExpiredException: NotAfter: Fri Jan 09 11:03:00 CET 2007

You should verify the fixlevel of your Java installation.
If it is up to date, file a bug report with the provider
of the JSSE. It should have stopped working a month ago
on Jan 9, not today on Feb 9.

Meanwhile, contact the server administrator, as a new SSL
certificate must be installed.

And follow Julius' advice about not using the "Easy" SSL factory.

hope that helps,
  Roland