You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rainer Frey <fr...@inxmail.de> on 2006/06/23 10:06:52 UTC
HTTPS client connection from JSP
Hi all,
I have following problem: a JSP opens a HTTPS connection to read a web
page's content. On one server this fails with:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA12275)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:626)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA12275)
at
org.apache.jsp.test_005fmrf_jsp._jspService(test_005fmrf_jsp.java:181)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
The target site has a valid Equifax Global Secure eBusiness CA
certificate. The root certificate is included in JDK's cacert keystore.
Confusing is: on another server it works, with same versions of Tomcat
(5.0.24) and Java (1.4.2_10). Main difference is, that the non-working
server has a HTTPS connector itself, with a Thawte SSL certificate. The
JSP in question isn't accessed with HTTPS though. The working test
server had no HTTPS defined, but I added one and created a self-signed
certificate, and it still worked.
Configuration of non-working server:
<Connector port="443"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${catalina.home}/../webapps/.keystore"
keystorePass="$$$$$$$$$$$$$$" />
${catalina.home}/../webapps/.keystore only contains the server
certificate, not trusted certificate entries. As you see, a
trustStoreFiel is not set, so the JDK default cacerts should be used.
The CA root certificate of our own server certificate is also not
included in the keystore, but is by default in cacerts. HTTPS to this
server works.
Configuration of working server:
<Connector port="8443"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${catalina.home}/../webapps/.keystore"
keystorePass="$$$$$$$$$$" />
${catalina.home}/../webapps/.keystore only contains the self-signed
certificate. Difference is AFAIS only self-signed vs. CA signed
certificate. My collegue did additional tests with the result: it works
on server that have no HTTPS configured, and on server that do HTTPS
with self-signed certificates. But it does not work on server with CA
signed SSL certificates.
Any ideas what the problem might be?
Rainer Frey
--
Software Development
------------------------------------------------------
Inxmail GmbH
Kaiser-Joseph-Str. 274, 79098 Freiburg, Germany
Web http://www.inxmail.de
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org