-
Bug
-
Resolution: Fixed
-
P1
-
1.0
-
1.0.1
-
generic, x86, sparc
-
generic, solaris_2.6, solaris_7, windows_98, windows_nt
umber: [ 02410000 01]
]
Algorithm: [MD2withRSA]
Signature:
0000: 88 D1 D1 79 21 CE E2 8B E8 F8 C1 7D 34 53 3F 61 ...y!.......4S?a
0010: 83 D9 B6 0B 38 17 B6 E8 BE 21 8D 8F 00 B8 8B 53 ....8....!.....S
0020: 7E 44 67 1E 22 BD 97 27 E0 9C 85 CC 4A F6 85 3B .Dg."..'....J..;
0030: B2 E2 BE 92 D3 E5 0D E9 AF 5C 0E 0C 46 95 FF A1 .........\..F...
0040: 1C 5E 3E E8 36 58 7A 73 A6 0A F8 22 11 6B C3 09 .^>.6Xzs...".k..
0050: 38 7E 26 BB 73 EF 00 BD 02 A4 F3 14 0D 30 3F 61 8.&.s........0?a
0060: 70 7B 20 FE 32 A3 9F B3 F4 67 52 DC B4 EE 84 8C p. .2....gR.....
0070: 96 36 20 DE 81 08 83 71 21 8A 0F 9E A9 .6 ....q!....
]
***
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert cha
in
Comment: one can see an expired certificate at chaing[1] which seems to be
causing the problem. It looks like webbrowsers ignore such certificates from
server.
(Review ID: 99997)
======================================================================
Name: skT88420 Date: 01/18/2000
java version "1.2.1"
Solaris VM (build Solaris_JDK_1.2.1_04, native threads, sunwjit)
1. Modify the URLReader.java test program to connect to "https://store.sun.com".
Execute:
java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Djavax.net.debug=all URLReader 1> out.1 2> out.2
2. Here's some code:
Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() );
URL verisign = new URL( "https://store.sun.com" );
BufferedReader in = new BufferedReader(
new InputStreamReader(
verisign.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
3. Here are the outputs:
-------------------------------- out.2 -----------------------------
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert
chain
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled Code)
at java.io.IOException.<init>(IOException.java:47)
at javax.net.ssl.SSLException.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Compiled Code)
at java.io.OutputStream.write(Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-
V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-
V1.2-120198])
at com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-
120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect
([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream
(Compiled Code)
at java.net.URL.openStream(URL.java:818)
at URLReader.main(Compiled Code)
--------------------------------------------------------------------
-------------------------------- out.1 -----------------------------
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 931400348 bytes = { 0, 52, 138, 214, 228, 55, 90, 237, 130,
190, 154, 80, 161, 63, 99, 6, 20, 128, 168, 147, 211, 85, 143, 227, 12, 220,
121, 11 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 38 84 0B 9C 00 34 8A D6 E4 37 ...7..8....4...7
0010: 5A ED 82 BE 9A 50 A1 3F 63 06 14 80 A8 93 D3 55 Z....P.?c......U
0020: 8F E3 0C DC 79 0B 00 00 10 00 05 00 04 00 09 00 ....y...........
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
main, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 38 84 0B .............8..
0030: 9C 00 34 8A D6 E4 37 5A ED 82 BE 9A 50 A1 3F 63 ..4...7Z....P.?c
0040: 06 14 80 A8 93 D3 55 8F E3 0C DC 79 0B ......U....y.
main, WRITE: SSL v2, contentType = 22, translated length = 16310
main, READ: SSL v3.0 Handshake, length = 1197
*** ServerHello, v3.0
RandomCookie: GMT: -648670906 bytes = { 193, 72, 12, 23, 218, 98, 245, 65,
213, 143, 96, 138, 2, 196, 118, 178, 54, 248, 219, 102, 45, 123, 117, 35, 39,
216, 143, 119 }
Session ID: {43, 225, 83, 214, 87, 132, 179, 147, 190, 114, 245, 115, 201,
106, 204, 7, 47, 78, 22, 10, 164, 136, 29, 224, 25, 221, 110, 137, 123, 192,
240, 190}
Cipher Suite: { 0, 3 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
** SSL_RSA_EXPORT_WITH_RC4_40_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 D9 56 11 46 C1 48 0C 17 DA 62 ...F...V.F.H...b
0010: F5 41 D5 8F 60 8A 02 C4 76 B2 36 F8 DB 66 2D 7B .A..`...v.6..f-.
0020: 75 23 27 D8 8F 77 20 2B E1 53 D6 57 84 B3 93 BE u#'..w +.S.W....
0030: 72 F5 73 C9 6A CC 07 2F 4E 16 0A A4 88 1D E0 19 r.s.j../N.......
0040: DD 6E 89 7B C0 F0 BE 00 03 00 .n........
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=store.sun.com, OU=Computer Systems, O=Sun MicroSystems Inc.,
L=Chelmsfoed, ST=Massachusetts, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b8eb51
Validity: [From: Wed Aug 18 17:00:00 PDT 1999,
To: Fri Aug 18 16:59:59 PDT 2000]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US
SerialNumber: [ 386f126a 30f7da30 a99a4234 e4d1bce1 ]
]
Algorithm: [MD5withRSA]
Signature:
0000: 81 7F C6 F7 AA 42 9D DC A8 AE 1C 14 CC F1 B4 A7 .....B..........
0010: 51 0E 85 0A E9 54 49 41 F2 D6 75 05 D4 D9 77 90 Q....TIA..u...w.
0020: 1F 0B 23 44 94 94 18 0F D1 0C 57 89 71 1F DC F4 ..#D......W.q...
0030: A3 B0 10 24 91 28 66 7D 75 B8 2D E1 DC B4 68 5B ...$.(f.u.-...h[
0040: 67 71 4D 6C 7E 13 1B B3 8B 43 5E 79 AF E1 83 96 gqMl.....C^y....
0050: 6B 24 0A 96 B5 C5 FE E7 4E 96 3F 89 51 E5 FA 35 k$......N.?.Q..5
0060: 60 34 C2 02 C2 3B 4A 39 94 06 6F 25 72 BD 0E C2 `4...;J9..o%r...
0070: F9 B1 AD B8 E0 F1 1D 08 31 01 F5 77 27 ........1..w'
]
chain [1] = [
[
Version: V1
Subject: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@6124a6
Validity: [From: Wed Nov 09 15:54:17 PST 1994,
To: Fri Dec 31 15:54:17 PST 1999]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US
SerialNumber: [ 02410000 01]
]
Algorithm: [MD2withRSA]
Signature:
0000: 88 D1 D1 79 21 CE E2 8B E8 F8 C1 7D 34 53 3F 61 ...y!.......4S?a
0010: 83 D9 B6 0B 38 17 B6 E8 BE 21 8D 8F 00 B8 8B 53 ....8....!.....S
0020: 7E 44 67 1E 22 BD 97 27 E0 9C 85 CC 4A F6 85 3B .Dg."..'....J..;
0030: B2 E2 BE 92 D3 E5 0D E9 AF 5C 0E 0C 46 95 FF A1 .........\..F...
0040: 1C 5E 3E E8 36 58 7A 73 A6 0A F8 22 11 6B C3 09 .^>.6Xzs...".k..
0050: 38 7E 26 BB 73 EF 00 BD 02 A4 F3 14 0D 30 3F 61 8.&.s........0?a
0060: 70 7B 20 FE 32 A3 9F B3 F4 67 52 DC B4 EE 84 8C p. .2....gR.....
0070: 96 36 20 DE 81 08 83 71 21 8A 0F 9E A9 .6 ....q!....
]
***
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
--------------------------------------------------------------------
*** NOTICE *** Notice that chain[0] is valid but that chain[1] is outdated?
(Review ID: 100074)
======================================================================
Name: skT88420 Date: 01/19/2000
java version "1.2.2"
Classic VM(build-1.2.2-001, native threads, symcjit)
I keep getting a "untrusted server cert chain" whenever I try a connection via
https. This message is regardless of which site I connect to. Thanks.
This is the program:
import java.io.*;
import java.util.*;
import java.net.*;
import java.security.*;
public class RemoteCall {
static boolean debug= true;
public static void main(String args[]) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
String sentence="doc_id=8492348&loc_id=moriarty";
try{
if(debug)
System.out.println("initialized https");
URL rjf=new URL("https://www.verisign.com");
if(debug)
System.out.println(rjf.getProtocol() );
URLConnection un=rjf.openConnection();
if(debug)
System.out.println("after connection;");
if(debug)
System.out.println(rjf.getHost() );
if(debug)
System.out.println(rjf.getPort() );
if(debug)
System.out.println(rjf.getFile() );
if(debug)
System.out.println(rjf.openStream() );
Object temp=rjf.getContent();
System.out.println("Wrote content ");
}
catch(Exception e) {
e.printStackTrace(System.out);
System.out.println("Exception "+e.getMessage() );
}
}
}
This is the message from the debug:
C:\jdk1.2.2\bin>java RemoteCall
initialized https
https
after connection;
www.verisign.com
-1
/
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V
1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-12
0198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198
])
at java.io.OutputStream.write(OutputStream.java:65)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2
-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-
120198])
at
com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-1201
98])
at
com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198
])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([
DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputS
tream([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:818)
at RemoteCall.main(RemoteCall.java:39)
Exception untrusted server cert chain
(Review ID: 100154)
======================================================================
Name: skT88420 Date: 02/08/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, green threads, sunwjit)
When using the HTTPS protocol to connect to a site in the UK, i get a long
pause, then:
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198], Compiled
Code)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198],
Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198],
Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198],
Compiled Code)
at java.io.OutputStream.write(OutputStream.java, Compiled Code)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198], Compiled
Code)
at
com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198],
Compiled Code)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java,
Compiled Code)
at rde.tools.http.Fetch.fetchURL(Fetch.java, Compiled Code)
at rde.tools.http.Fetch.main(Fetch.java, Compiled Code)
(Review ID: 100968)
======================================================================
[
bradford.wetmore@eng, the RE for this bug writes:
This bug got way out of hand. Anything remotely related to JSSE
around January 1, 2000 was put into this bug. There were four separate
problems reported in this bug:
1) The underlying bug that JSSE didn't allow expired certificates
in a certificate chain,
2) A bug in the JSSE test suite,
3) A configuration problem while installing JSSE, and
4) A problem with Symantec's VisualCafe, in which they
shipped a corrupted cacerts file.
The fix for this bug will only address 1) above. 2) was moved to
a new bug, see 4304940. 3) can be fixed by adding the
proper line in the config file, and 4) can be fixed by using
a valid cacerts file.
]
Name: sg39081 Date: 01/04/2000
This exception is the same as Bug Id 4283025 which closed as not a bug.
However, this example works fine for a 1999 date and does not work for
a Year 2000 date.
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
When running the URLReaderWithOptions example jsse program with the command
line:
C:\jdk1.2.2\jsse1.0\samples\urls>java -classpath .;jcert.jar;jnet.jar;jsse.jar U
RLReaderWithOptions -k com.sun.net.ssl.internal.www.protocol -h proxy.cat.com -p 80
When run with the client's date set to Jan 4, 2000, the program crashes with
the following SSLException:
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:65)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:818)
at URLReaderWithOptions.main(URLReaderWithOptions.java, Compiled Code)
When the client's computer date is set to Dec. 31, 1999, verisign's html code
is displayed on the client without any exceptions.
The verisign home page certificate is valid through July of 2000.
I initially found this bug in some of my own code that downloads files from an
https secure server inside a firewall that exhibits the exact same bug as the
Sun example.
(Review ID: 99554)
======================================================================
Name: skT88420 Date: 01/04/2000
java version "1.2.2"
HotSpot VM (1.0.1, mixed mode, build g)
The HTTPS URLReader sample program worked until 1/1/2000. Same program now
produces an untrusted cert chain exception. Setting the PC clock back to any
date in December 1999, the sample program works fine.
The problem could be either a Root CA expiration, or a problem within the
JSSE. Other programs we have written using the JSSE are also failing after
12/31/99.
(Review ID: 99564)
======================================================================
Name: skT88420 Date: 01/05/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
System.setProperty
("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
URL uIWF = new URL(strValue);
java.net.HttpURLConnection uConn = (java.net.HttpURLConnection)
uIWF.openConnection();
then we get the error message:
> Exception while sending notification :
> javax.net.ssl.SSLException: untrusted
> server cert chain
this only happens when the computers clock is set to the present date (year
2000)
when we switch it back to 1999 it works ok.
thanks for you help,
vincent
(Review ID: 99639)
======================================================================
Name: skT88420 Date: 01/05/2000
java version "1.2.2 Symc"
[ Code snippet moved to attachments... wetmore ]
java.net.SocketException: SSL implementation not available
at javax.net.ssl.DefaultSSLSocketFactory.createSocket([DashoPro-V1.2-
120198])
[ much of traceback moved to attachments... wetmore ]
at symantec.tools.debug.Agent.runMain(Native Method)
at symantec.tools.debug.MainThread.run(Agent.java:48)
[
bradford.wetmore@eng, the RE for this bug writes:
I am 99% sure this part of the report is due to a problem that Symantec
had with Visualcafe using Java2. In it, they shipped a
$JAVA_HOME/lib/security/cacerts file that was corrupt, or
was in a format that wasn't called out correctly in their
$JAVA_HOME/lib/security/java.security file.
We have contacted Symantec to let them
know about the problem. The workaround is to put a valid
cacerts file into place. You can get one from Sun's JDK distribution.
]
======================================================================
Name: skT88420 Date: 01/07/2000
Classic VM (build JDK-1.2.2-001, native threads, symcjit)
The following program produces an unexpected exception:
java.net.SocketException: SSL implementation not available
[ code snippet moved to attachment... wetmore ]
[
bradford.wetmore@eng, the RE for this bug writes:
Without more information, this one is probably due
to a configuration error. If your
provider was not installed into the java.security file correctly,
or wasn't dynamically added (the above source doesn't indicate
this), you will get the error "SSL Implementation not available".
I'll assume this is a red herring to the underlying bug,
unless I hear otherwise.
]
======================================================================
Name: skT88420 Date: 01/10/2000
java version "1.2.1"
Solaris VM (build Solaris_JDK_1.2.1_04, native threads, sunwjit)
I wrote a simple client program using JSSE, as follows:
-----------------------------------------------------------------------------
import java.io.*;
import java.net.*;
import java.security.*;
import javax.net.ssl.*;
public class Client {
public static void main(String[] args) {
try {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLSocketFactory ssf = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket ss = (SSLSocket)ssf.createSocket("localhost", 10917);
BufferedReader br =
new BufferedReader(new InputStreamReader(ss.getInputStream()));
System.out.println(br.readLine());
ss.close();
} catch(Exception e) { e.printStackTrace(); }
}
}
-----------------------------------------------------------------------------
This program can be compiled without errors. But when I executed the Client,
the following exception occurred.
-----------------------------------------------------------------------------
java.net.SocketException: SSL implementation not available
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.<init>(Throwable.java:94)
at java.lang.Exception.<init>(Exception.java:42)
at java.io.IOException.<init>(IOException.java:47)
at java.net.SocketException.<init>(SocketException.java:36)
at
javax.net.ssl.DefaultSSLSocketFactory.createSocket([DashoPro-V1.2-120
198])
at Client.main(Client.java:11)
-----------------------------------------------------------------------------
This exception occurs with or without the accepting server process.
(Review ID: 99755)
======================================================================
Name: skT88420 Date: 01/12/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
An RSA certificate from VeriSign expired on 12/31/99 no longer causes the Plug-
in to display the security dialog. The applet runs as untrusted and there is no
way to tell the Plug-in to trust it.
The applet in question was signed by following the documentation provided at
http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html. VeriSign was
chosen as the certificate authority. Signtool 1.1 was originally used to sign
the JAR file. The signing worked until 12/31/99 at which time the root
certificate expired. Note that the certificate itslef does not expire for
several more months.
VeriSign's solution is to get Signtool 1.3 from Netscape and re-sign the JAR
file. This updates the certificate. Although the JAR file is verified as signed
using Netscape's Signtool 1.3 it does not cause the Java Plug-in to display its
dialog which allows the user to run the applet as trusted.
(Review ID: 99883)
======================================================================
Additional information from customer: ###@###.###
I have found more information surrounding this bug. I changed my computer's
date a number of times to see what dates the program failed on.
When I tried to hit an https site with a certificate that was valid from
5/23/99 to 5/23/00, the program would not work until my computer's date was
set to 5/26/99. It failed on the 23, 24, and 25th. It also continues to fail at
any date in the year 2000. I've attached a screen shot of the certificate of
the site I was hitting. The bitmap has been added to the attachments.
sheri.good@Eng 2000-01-13
Name: skT88420 Date: 01/14/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
Please try running jsse1.0/samples/url/URLReaderWithOptions.class
You get the following exception stacktrace:Exception in thread "main"
javax.net.ssl.SSLException: untrusted server cert cha
in
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198
])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPr
o-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2
-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:65)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V
1.2-120198])
..................
..................
With debugging turned on, you get the following:
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 947817405 bytes = { 86, 232, 208, 221, 99, 231, 86, 148, 169
, 101, 29, 43, 123, 119, 213, 0, 18, 184, 28, 234, 245, 33, 140, 173, 232, 137,
219, 162 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 38 7F 8C BD 56 E8 D0 DD 63 E7 ...7..8...V...c.
0010: 56 94 A9 65 1D 2B 7B 77 D5 00 12 B8 1C EA F5 21 V..e.+.w.......!
0020: 8C AD E8 89 DB A2 00 00 10 00 05 00 04 00 09 00 ................
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
main, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 38 7F 8C .............8..
0030: BD 56 E8 D0 DD 63 E7 56 94 A9 65 1D 2B 7B 77 D5 .V...c.V..e.+.w.
0040: 00 12 B8 1C EA F5 21 8C AD E8 89 DB A2 ......!......
main, WRITE: SSL v2, contentType = 22, translated length = 16310
main, READ: SSL v3.0 Handshake, length = 1312
*** ServerHello, v3.0
RandomCookie: GMT: 1003486232 bytes = { 91, 105, 221, 37, 110, 81, 176, 137, 24
2, 65, 43, 98, 184, 231, 56, 120, 218, 67, 179, 42, 18, 31, 130, 224, 219, 90, 2
53, 4 }
Session ID: {0, 0, 104, 18, 185, 168, 77, 2, 47, 191, 12, 32, 210, 250, 58, 7,
244, 42, 118, 15, 221, 86, 151, 97, 79, 232, 70, 218, 10, 77, 136, 104}
Cipher Suite: { 0, 4 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 3C D0 FC 18 5B 69 DD 25 6E 51 ...F..<...[i.%nQ
0010: B0 89 F2 41 2B 62 B8 E7 38 78 DA 43 B3 2A 12 1F ...A+b..8x.C.*..
0020: 82 E0 DB 5A FD 04 20 00 00 68 12 B9 A8 4D 02 2F ...Z.. ..h...M./
0030: BF 0C 20 D2 FA 3A 07 F4 2A 76 0F DD 56 97 61 4F .. ..:..*v..V.aO
0040: E8 46 DA 0A 4D 88 68 00 04 00 .F..M.h...
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=netbenefits.401k.com, OU=Terms of use at www.verisign.com/RPA (c)9
9, OU=Firsco, O=Fidelity Investments, L=Marlboro, ST=Massachusetts, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@48ec3651
Validity: [From: Sun Nov 14 16:00:00 PST 1999,
To: Tue Dec 05 15:59:59 PST 2000]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.",
C=US
SerialNumber: [ 48d36201 8d6e2e42 6542439a f7e28538 ]
]
Algorithm: [MD5withRSA]
Signature:
0000: 8C 2A 86 2C 2E 41 13 26 CF 37 EE 0D A7 82 23 3B .*.,.A.&.7....#;
0010: AC 81 B9 F5 54 AA D4 18 64 53 5B A5 2B 36 9F D7 ....T...dS[.+6..
0020: E6 3C B1 BA 94 BE 1A 3B 6B C4 65 2C B8 57 B5 83 .<.....;k.e,.W..
0030: C0 04 37 17 BC 53 E6 0C 0E 05 AA EF 58 44 29 FC ..7..S......XD).
0040: D3 C4 71 9D F3 68 2B 3D E2 5E 2D 28 2E 56 0D 27 ..q..h+=.^-(.V.'
0050: 36 E2 9F 54 6B A8 FF 66 48 E3 F4 D2 E2 1E 24 FD 6..Tk..fH.....$.
0060: 6B 4E AF E9 23 7F D6 39 63 8C FD 50 2C B1 A1 E5 kN..#..9c..P,...
0070: 2A 8F 8F CB 99 BE ED 08 4E 6E C5 39 8E *.......Nn.9.
]
chain [1] = [
[
Version: V1
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc."
, C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@45983651
Validity: [From: Wed Nov 09 15:54:17 PST 1994,
To: Fri Dec 31 15:54:17 PST 1999]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.",
C=US
SerialN
]
Algorithm: [MD2withRSA]
Signature:
0000: 88 D1 D1 79 21 CE E2 8B E8 F8 C1 7D 34 53 3F 61 ...y!.......4S?a
0010: 83 D9 B6 0B 38 17 B6 E8 BE 21 8D 8F 00 B8 8B 53 ....8....!.....S
0020: 7E 44 67 1E 22 BD 97 27 E0 9C 85 CC 4A F6 85 3B .Dg."..'....J..;
0030: B2 E2 BE 92 D3 E5 0D E9 AF 5C 0E 0C 46 95 FF A1 .........\..F...
0040: 1C 5E 3E E8 36 58 7A 73 A6 0A F8 22 11 6B C3 09 .^>.6Xzs...".k..
0050: 38 7E 26 BB 73 EF 00 BD 02 A4 F3 14 0D 30 3F 61 8.&.s........0?a
0060: 70 7B 20 FE 32 A3 9F B3 F4 67 52 DC B4 EE 84 8C p. .2....gR.....
0070: 96 36 20 DE 81 08 83 71 21 8A 0F 9E A9 .6 ....q!....
]
***
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert cha
in
Comment: one can see an expired certificate at chaing[1] which seems to be
causing the problem. It looks like webbrowsers ignore such certificates from
server.
(Review ID: 99997)
======================================================================
Name: skT88420 Date: 01/18/2000
java version "1.2.1"
Solaris VM (build Solaris_JDK_1.2.1_04, native threads, sunwjit)
1. Modify the URLReader.java test program to connect to "https://store.sun.com".
Execute:
java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Djavax.net.debug=all URLReader 1> out.1 2> out.2
2. Here's some code:
Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() );
URL verisign = new URL( "https://store.sun.com" );
BufferedReader in = new BufferedReader(
new InputStreamReader(
verisign.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
3. Here are the outputs:
-------------------------------- out.2 -----------------------------
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert
chain
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled Code)
at java.io.IOException.<init>(IOException.java:47)
at javax.net.ssl.SSLException.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Compiled Code)
at java.io.OutputStream.write(Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-
V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-
V1.2-120198])
at com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-
120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect
([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream
(Compiled Code)
at java.net.URL.openStream(URL.java:818)
at URLReader.main(Compiled Code)
--------------------------------------------------------------------
-------------------------------- out.1 -----------------------------
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 931400348 bytes = { 0, 52, 138, 214, 228, 55, 90, 237, 130,
190, 154, 80, 161, 63, 99, 6, 20, 128, 168, 147, 211, 85, 143, 227, 12, 220,
121, 11 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 38 84 0B 9C 00 34 8A D6 E4 37 ...7..8....4...7
0010: 5A ED 82 BE 9A 50 A1 3F 63 06 14 80 A8 93 D3 55 Z....P.?c......U
0020: 8F E3 0C DC 79 0B 00 00 10 00 05 00 04 00 09 00 ....y...........
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
main, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 38 84 0B .............8..
0030: 9C 00 34 8A D6 E4 37 5A ED 82 BE 9A 50 A1 3F 63 ..4...7Z....P.?c
0040: 06 14 80 A8 93 D3 55 8F E3 0C DC 79 0B ......U....y.
main, WRITE: SSL v2, contentType = 22, translated length = 16310
main, READ: SSL v3.0 Handshake, length = 1197
*** ServerHello, v3.0
RandomCookie: GMT: -648670906 bytes = { 193, 72, 12, 23, 218, 98, 245, 65,
213, 143, 96, 138, 2, 196, 118, 178, 54, 248, 219, 102, 45, 123, 117, 35, 39,
216, 143, 119 }
Session ID: {43, 225, 83, 214, 87, 132, 179, 147, 190, 114, 245, 115, 201,
106, 204, 7, 47, 78, 22, 10, 164, 136, 29, 224, 25, 221, 110, 137, 123, 192,
240, 190}
Cipher Suite: { 0, 3 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
** SSL_RSA_EXPORT_WITH_RC4_40_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 D9 56 11 46 C1 48 0C 17 DA 62 ...F...V.F.H...b
0010: F5 41 D5 8F 60 8A 02 C4 76 B2 36 F8 DB 66 2D 7B .A..`...v.6..f-.
0020: 75 23 27 D8 8F 77 20 2B E1 53 D6 57 84 B3 93 BE u#'..w +.S.W....
0030: 72 F5 73 C9 6A CC 07 2F 4E 16 0A A4 88 1D E0 19 r.s.j../N.......
0040: DD 6E 89 7B C0 F0 BE 00 03 00 .n........
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=store.sun.com, OU=Computer Systems, O=Sun MicroSystems Inc.,
L=Chelmsfoed, ST=Massachusetts, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b8eb51
Validity: [From: Wed Aug 18 17:00:00 PDT 1999,
To: Fri Aug 18 16:59:59 PDT 2000]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US
SerialNumber: [ 386f126a 30f7da30 a99a4234 e4d1bce1 ]
]
Algorithm: [MD5withRSA]
Signature:
0000: 81 7F C6 F7 AA 42 9D DC A8 AE 1C 14 CC F1 B4 A7 .....B..........
0010: 51 0E 85 0A E9 54 49 41 F2 D6 75 05 D4 D9 77 90 Q....TIA..u...w.
0020: 1F 0B 23 44 94 94 18 0F D1 0C 57 89 71 1F DC F4 ..#D......W.q...
0030: A3 B0 10 24 91 28 66 7D 75 B8 2D E1 DC B4 68 5B ...$.(f.u.-...h[
0040: 67 71 4D 6C 7E 13 1B B3 8B 43 5E 79 AF E1 83 96 gqMl.....C^y....
0050: 6B 24 0A 96 B5 C5 FE E7 4E 96 3F 89 51 E5 FA 35 k$......N.?.Q..5
0060: 60 34 C2 02 C2 3B 4A 39 94 06 6F 25 72 BD 0E C2 `4...;J9..o%r...
0070: F9 B1 AD B8 E0 F1 1D 08 31 01 F5 77 27 ........1..w'
]
chain [1] = [
[
Version: V1
Subject: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@6124a6
Validity: [From: Wed Nov 09 15:54:17 PST 1994,
To: Fri Dec 31 15:54:17 PST 1999]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US
SerialNumber: [ 02410000 01]
]
Algorithm: [MD2withRSA]
Signature:
0000: 88 D1 D1 79 21 CE E2 8B E8 F8 C1 7D 34 53 3F 61 ...y!.......4S?a
0010: 83 D9 B6 0B 38 17 B6 E8 BE 21 8D 8F 00 B8 8B 53 ....8....!.....S
0020: 7E 44 67 1E 22 BD 97 27 E0 9C 85 CC 4A F6 85 3B .Dg."..'....J..;
0030: B2 E2 BE 92 D3 E5 0D E9 AF 5C 0E 0C 46 95 FF A1 .........\..F...
0040: 1C 5E 3E E8 36 58 7A 73 A6 0A F8 22 11 6B C3 09 .^>.6Xzs...".k..
0050: 38 7E 26 BB 73 EF 00 BD 02 A4 F3 14 0D 30 3F 61 8.&.s........0?a
0060: 70 7B 20 FE 32 A3 9F B3 F4 67 52 DC B4 EE 84 8C p. .2....gR.....
0070: 96 36 20 DE 81 08 83 71 21 8A 0F 9E A9 .6 ....q!....
]
***
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
--------------------------------------------------------------------
*** NOTICE *** Notice that chain[0] is valid but that chain[1] is outdated?
(Review ID: 100074)
======================================================================
Name: skT88420 Date: 01/19/2000
java version "1.2.2"
Classic VM(build-1.2.2-001, native threads, symcjit)
I keep getting a "untrusted server cert chain" whenever I try a connection via
https. This message is regardless of which site I connect to. Thanks.
This is the program:
import java.io.*;
import java.util.*;
import java.net.*;
import java.security.*;
public class RemoteCall {
static boolean debug= true;
public static void main(String args[]) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
String sentence="doc_id=8492348&loc_id=moriarty";
try{
if(debug)
System.out.println("initialized https");
URL rjf=new URL("https://www.verisign.com");
if(debug)
System.out.println(rjf.getProtocol() );
URLConnection un=rjf.openConnection();
if(debug)
System.out.println("after connection;");
if(debug)
System.out.println(rjf.getHost() );
if(debug)
System.out.println(rjf.getPort() );
if(debug)
System.out.println(rjf.getFile() );
if(debug)
System.out.println(rjf.openStream() );
Object temp=rjf.getContent();
System.out.println("Wrote content ");
}
catch(Exception e) {
e.printStackTrace(System.out);
System.out.println("Exception "+e.getMessage() );
}
}
}
This is the message from the debug:
C:\jdk1.2.2\bin>java RemoteCall
initialized https
https
after connection;
www.verisign.com
-1
/
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V
1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-12
0198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198
])
at java.io.OutputStream.write(OutputStream.java:65)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2
-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-
120198])
at
com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-1201
98])
at
com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198
])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([
DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputS
tream([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:818)
at RemoteCall.main(RemoteCall.java:39)
Exception untrusted server cert chain
(Review ID: 100154)
======================================================================
Name: skT88420 Date: 02/08/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, green threads, sunwjit)
When using the HTTPS protocol to connect to a site in the UK, i get a long
pause, then:
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198], Compiled
Code)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198],
Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198],
Compiled Code)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198],
Compiled Code)
at java.io.OutputStream.write(OutputStream.java, Compiled Code)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198], Compiled
Code)
at
com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198],
Compiled Code)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198],
Compiled Code)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java,
Compiled Code)
at rde.tools.http.Fetch.fetchURL(Fetch.java, Compiled Code)
at rde.tools.http.Fetch.main(Fetch.java, Compiled Code)
(Review ID: 100968)
======================================================================
[
bradford.wetmore@eng, the RE for this bug writes:
This bug got way out of hand. Anything remotely related to JSSE
around January 1, 2000 was put into this bug. There were four separate
problems reported in this bug:
1) The underlying bug that JSSE didn't allow expired certificates
in a certificate chain,
2) A bug in the JSSE test suite,
3) A configuration problem while installing JSSE, and
4) A problem with Symantec's VisualCafe, in which they
shipped a corrupted cacerts file.
The fix for this bug will only address 1) above. 2) was moved to
a new bug, see 4304940. 3) can be fixed by adding the
proper line in the config file, and 4) can be fixed by using
a valid cacerts file.
]
Name: sg39081 Date: 01/04/2000
This exception is the same as Bug Id 4283025 which closed as not a bug.
However, this example works fine for a 1999 date and does not work for
a Year 2000 date.
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
When running the URLReaderWithOptions example jsse program with the command
line:
C:\jdk1.2.2\jsse1.0\samples\urls>java -classpath .;jcert.jar;jnet.jar;jsse.jar U
RLReaderWithOptions -k com.sun.net.ssl.internal.www.protocol -h proxy.cat.com -p 80
When run with the client's date set to Jan 4, 2000, the program crashes with
the following SSLException:
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:65)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:818)
at URLReaderWithOptions.main(URLReaderWithOptions.java, Compiled Code)
When the client's computer date is set to Dec. 31, 1999, verisign's html code
is displayed on the client without any exceptions.
The verisign home page certificate is valid through July of 2000.
I initially found this bug in some of my own code that downloads files from an
https secure server inside a firewall that exhibits the exact same bug as the
Sun example.
(Review ID: 99554)
======================================================================
Name: skT88420 Date: 01/04/2000
java version "1.2.2"
HotSpot VM (1.0.1, mixed mode, build g)
The HTTPS URLReader sample program worked until 1/1/2000. Same program now
produces an untrusted cert chain exception. Setting the PC clock back to any
date in December 1999, the sample program works fine.
The problem could be either a Root CA expiration, or a problem within the
JSSE. Other programs we have written using the JSSE are also failing after
12/31/99.
(Review ID: 99564)
======================================================================
Name: skT88420 Date: 01/05/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
System.setProperty
("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
URL uIWF = new URL(strValue);
java.net.HttpURLConnection uConn = (java.net.HttpURLConnection)
uIWF.openConnection();
then we get the error message:
> Exception while sending notification :
> javax.net.ssl.SSLException: untrusted
> server cert chain
this only happens when the computers clock is set to the present date (year
2000)
when we switch it back to 1999 it works ok.
thanks for you help,
vincent
(Review ID: 99639)
======================================================================
Name: skT88420 Date: 01/05/2000
java version "1.2.2 Symc"
[ Code snippet moved to attachments... wetmore ]
java.net.SocketException: SSL implementation not available
at javax.net.ssl.DefaultSSLSocketFactory.createSocket([DashoPro-V1.2-
120198])
[ much of traceback moved to attachments... wetmore ]
at symantec.tools.debug.Agent.runMain(Native Method)
at symantec.tools.debug.MainThread.run(Agent.java:48)
[
bradford.wetmore@eng, the RE for this bug writes:
I am 99% sure this part of the report is due to a problem that Symantec
had with Visualcafe using Java2. In it, they shipped a
$JAVA_HOME/lib/security/cacerts file that was corrupt, or
was in a format that wasn't called out correctly in their
$JAVA_HOME/lib/security/java.security file.
We have contacted Symantec to let them
know about the problem. The workaround is to put a valid
cacerts file into place. You can get one from Sun's JDK distribution.
]
======================================================================
Name: skT88420 Date: 01/07/2000
Classic VM (build JDK-1.2.2-001, native threads, symcjit)
The following program produces an unexpected exception:
java.net.SocketException: SSL implementation not available
[ code snippet moved to attachment... wetmore ]
[
bradford.wetmore@eng, the RE for this bug writes:
Without more information, this one is probably due
to a configuration error. If your
provider was not installed into the java.security file correctly,
or wasn't dynamically added (the above source doesn't indicate
this), you will get the error "SSL Implementation not available".
I'll assume this is a red herring to the underlying bug,
unless I hear otherwise.
]
======================================================================
Name: skT88420 Date: 01/10/2000
java version "1.2.1"
Solaris VM (build Solaris_JDK_1.2.1_04, native threads, sunwjit)
I wrote a simple client program using JSSE, as follows:
-----------------------------------------------------------------------------
import java.io.*;
import java.net.*;
import java.security.*;
import javax.net.ssl.*;
public class Client {
public static void main(String[] args) {
try {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLSocketFactory ssf = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket ss = (SSLSocket)ssf.createSocket("localhost", 10917);
BufferedReader br =
new BufferedReader(new InputStreamReader(ss.getInputStream()));
System.out.println(br.readLine());
ss.close();
} catch(Exception e) { e.printStackTrace(); }
}
}
-----------------------------------------------------------------------------
This program can be compiled without errors. But when I executed the Client,
the following exception occurred.
-----------------------------------------------------------------------------
java.net.SocketException: SSL implementation not available
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.<init>(Throwable.java:94)
at java.lang.Exception.<init>(Exception.java:42)
at java.io.IOException.<init>(IOException.java:47)
at java.net.SocketException.<init>(SocketException.java:36)
at
javax.net.ssl.DefaultSSLSocketFactory.createSocket([DashoPro-V1.2-120
198])
at Client.main(Client.java:11)
-----------------------------------------------------------------------------
This exception occurs with or without the accepting server process.
(Review ID: 99755)
======================================================================
Name: skT88420 Date: 01/12/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
An RSA certificate from VeriSign expired on 12/31/99 no longer causes the Plug-
in to display the security dialog. The applet runs as untrusted and there is no
way to tell the Plug-in to trust it.
The applet in question was signed by following the documentation provided at
http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html. VeriSign was
chosen as the certificate authority. Signtool 1.1 was originally used to sign
the JAR file. The signing worked until 12/31/99 at which time the root
certificate expired. Note that the certificate itslef does not expire for
several more months.
VeriSign's solution is to get Signtool 1.3 from Netscape and re-sign the JAR
file. This updates the certificate. Although the JAR file is verified as signed
using Netscape's Signtool 1.3 it does not cause the Java Plug-in to display its
dialog which allows the user to run the applet as trusted.
(Review ID: 99883)
======================================================================
Additional information from customer: ###@###.###
I have found more information surrounding this bug. I changed my computer's
date a number of times to see what dates the program failed on.
When I tried to hit an https site with a certificate that was valid from
5/23/99 to 5/23/00, the program would not work until my computer's date was
set to 5/26/99. It failed on the 23, 24, and 25th. It also continues to fail at
any date in the year 2000. I've attached a screen shot of the certificate of
the site I was hitting. The bitmap has been added to the attachments.
sheri.good@Eng 2000-01-13
Name: skT88420 Date: 01/14/2000
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
Please try running jsse1.0/samples/url/URLReaderWithOptions.class
You get the following exception stacktrace:Exception in thread "main"
javax.net.ssl.SSLException: untrusted server cert cha
in
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198
])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPr
o-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2
-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:65)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V
1.2-120198])
..................
..................
With debugging turned on, you get the following:
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 947817405 bytes = { 86, 232, 208, 221, 99, 231, 86, 148, 169
, 101, 29, 43, 123, 119, 213, 0, 18, 184, 28, 234, 245, 33, 140, 173, 232, 137,
219, 162 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 38 7F 8C BD 56 E8 D0 DD 63 E7 ...7..8...V...c.
0010: 56 94 A9 65 1D 2B 7B 77 D5 00 12 B8 1C EA F5 21 V..e.+.w.......!
0020: 8C AD E8 89 DB A2 00 00 10 00 05 00 04 00 09 00 ................
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
main, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 38 7F 8C .............8..
0030: BD 56 E8 D0 DD 63 E7 56 94 A9 65 1D 2B 7B 77 D5 .V...c.V..e.+.w.
0040: 00 12 B8 1C EA F5 21 8C AD E8 89 DB A2 ......!......
main, WRITE: SSL v2, contentType = 22, translated length = 16310
main, READ: SSL v3.0 Handshake, length = 1312
*** ServerHello, v3.0
RandomCookie: GMT: 1003486232 bytes = { 91, 105, 221, 37, 110, 81, 176, 137, 24
2, 65, 43, 98, 184, 231, 56, 120, 218, 67, 179, 42, 18, 31, 130, 224, 219, 90, 2
53, 4 }
Session ID: {0, 0, 104, 18, 185, 168, 77, 2, 47, 191, 12, 32, 210, 250, 58, 7,
244, 42, 118, 15, 221, 86, 151, 97, 79, 232, 70, 218, 10, 77, 136, 104}
Cipher Suite: { 0, 4 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 3C D0 FC 18 5B 69 DD 25 6E 51 ...F..<...[i.%nQ
0010: B0 89 F2 41 2B 62 B8 E7 38 78 DA 43 B3 2A 12 1F ...A+b..8x.C.*..
0020: 82 E0 DB 5A FD 04 20 00 00 68 12 B9 A8 4D 02 2F ...Z.. ..h...M./
0030: BF 0C 20 D2 FA 3A 07 F4 2A 76 0F DD 56 97 61 4F .. ..:..*v..V.aO
0040: E8 46 DA 0A 4D 88 68 00 04 00 .F..M.h...
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=netbenefits.401k.com, OU=Terms of use at www.verisign.com/RPA (c)9
9, OU=Firsco, O=Fidelity Investments, L=Marlboro, ST=Massachusetts, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@48ec3651
Validity: [From: Sun Nov 14 16:00:00 PST 1999,
To: Tue Dec 05 15:59:59 PST 2000]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.",
C=US
SerialNumber: [ 48d36201 8d6e2e42 6542439a f7e28538 ]
]
Algorithm: [MD5withRSA]
Signature:
0000: 8C 2A 86 2C 2E 41 13 26 CF 37 EE 0D A7 82 23 3B .*.,.A.&.7....#;
0010: AC 81 B9 F5 54 AA D4 18 64 53 5B A5 2B 36 9F D7 ....T...dS[.+6..
0020: E6 3C B1 BA 94 BE 1A 3B 6B C4 65 2C B8 57 B5 83 .<.....;k.e,.W..
0030: C0 04 37 17 BC 53 E6 0C 0E 05 AA EF 58 44 29 FC ..7..S......XD).
0040: D3 C4 71 9D F3 68 2B 3D E2 5E 2D 28 2E 56 0D 27 ..q..h+=.^-(.V.'
0050: 36 E2 9F 54 6B A8 FF 66 48 E3 F4 D2 E2 1E 24 FD 6..Tk..fH.....$.
0060: 6B 4E AF E9 23 7F D6 39 63 8C FD 50 2C B1 A1 E5 kN..#..9c..P,...
0070: 2A 8F 8F CB 99 BE ED 08 4E 6E C5 39 8E *.......Nn.9.
]
chain [1] = [
[
Version: V1
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc."
, C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@45983651
Validity: [From: Wed Nov 09 15:54:17 PST 1994,
To: Fri Dec 31 15:54:17 PST 1999]
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.",
C=US
SerialN
- relates to
-
-
- Closed
-