-
Bug
-
Resolution: Fixed
-
P2
-
1.0.2
-
1.0.3
-
x86
-
linux, solaris
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2110119 | 1.4.0 | Yingxian Wang | P2 | Closed | Fixed | beta3 |
clientmanager.Client.getServerProperties(Unknown Source)
at infoworkspace.security.authenticationui.AuthenticationClient.startAuthentication(Unknown Source)
at infoworkspace.security.authenticationui.AuthenticationClient.<init>(Unknown Source)
at infoworkspace.client.clientmanager.Client.logon(Unknown Source)
at infoworkspace.client.clientmanager.Client$3.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
TESTCASEEND
Name: krC82822 Date: 03/20/2001
java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0)
Java HotSpot(TM) Client VM (build 1.3.0, mixed mode)
The method X509TrustManager.isServerTrusted incorrectly rejects a server
certificate.
Running with debugging indicates the following error:
failed critical extension check: java.lang.Exception: Wrong key usage
main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.1 Alert, length = 2
The method requires that the certificate' s key usage, if present, includes
digitalSignature. Server certificates are not used for signing. They should
have keyEncipherment set as their key usage. This is stated in the TLS spec as
well as Netscape's certificate specification.
(Review ID: 119099)
======================================================================
ck.prasad@eng 2001-06-21
Customer Problem Description:
-----------------------------
One of our Department of Defense customers is currently having problems related to BugID 4427888. Their organization is serviced by a CA which issues X509 SSL Server certificates (server has an RSA key) with the following v3 extension:
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_Encipherment
]
As BugID 4427888 correctly points out, JSSE 1.0.2 will not trust such a server even though every other trust criterion (eg: client trusts the server's root CA, dates are valid, subject and hostname matches, et cetera) is satisfied. Instead, JSSE requires digitalSignature in critical keyUsage extensions even though this usage is not required in either the SSL v3.0 protocol or the TLS v1.0 protocol.
We are expecting many other Department of Defense customers will run into the same difficulty as our current customer. For example, the attached newsgroup posting (at the end of this description) is from an individual in a completely different organization and with a different CA than our customer. Even so, he is having the same problem. As such, requesting our current and future customers to modify their CA policies is not feasible, especially when their policies conform to the requirements of RFC 2246, para. 7.4.2.
=-=-=-=-= BEGIN comp.lang.java.security posting =-=-=-=-=
Thread Title: "Using https in java application"
Post Date: 2001-03-20
URL: http://groups.google.com/groups?hl=en&lr=&safe=off&ic=1&th=b54b0db7567815f1,3&seekm=00000008.58e87553%40usw-ex0108-192.remarq.com#p
I am attempting to connect to a web server that is using https
and http authentication. The particular URL I am trying to
connect to returns an XML document. I have successfully
established a connection to this server using IE. Once connected
in IE, I selected the lock icon and added the certificate
associated with the URL to IEs certificates.
I have attempted to export this certificate in both Base64 and
Binary X509 format and added it to my local .keystore using
keytool. Unfortunately when I try to connect to this site from a
Java application I get the following error:
failed critical extension check: java.lang.Exception: Wrong key usage
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:230)
at httpclient.URLReader.main(URLReader.java:69)
I have turned the debugging on for JSSE and I noticed that there
is a compliant about the certificate. Details below:
adding as trusted cert: [
[
Version: V3
Subject: CN=scwc17.scott.af.mil, OU=USAF, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@67e89
Validity: [From: Mon Jun 26 18:12:46 EDT 2000,
To: Fri Jun 27 18:12:46 EDT 2003]
Issuer: CN=Med CA-2, OU=PKI, OU=DoD, O=U.S. Government, C=US
SerialNumber: [ 2458]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 96 80 87 61 C4 88 5A A4 E2 A0 08 3A 0E 92 39
AD ...a..Z....:..9.
0010: A6 68 40 3C .h@<
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 09 BC 11 2B 3B 65 79 47 D6 73 63 DC 07 37 69
16 ...+;eyG.sc..7i.
0010: 34 CF 35 85 4.5.
]
]
[3]: ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0F 30 0D 30 0B 06 09 60 86 48 01 65 02 01
0B ..0.0...`.H.e...
0010: 03
...
Notice the unknown DER encoded OCTET string message.
Any help on this problem would be greatly appreciated.
=-=-=-=-= END comp.lang.java.security posting =-=-=-=-=
TESTCASEBEGIN
Server: iPlanet Web Server 4.2 on Windows NT 4.0 SP6a
Client: JRE 1.2.2-006, JSSE 1.0.2, Windows 2000 SP1
jre\1.2\bin\java.exe -version
java version "1.2.2"
Classic VM (build JDK-1.2.2_006, native threads, symcjit)
With the above configuration, here is the client's JSSE debug at the initiation of the SSL session:
*** ClientHello, v3.1
RandomCookie: GMT: 993160553 bytes = { 68, 244, 215, 11, 190, 155, 41, 144, 99, 100, 51, 225, 114, 113, 69, 139, 181, 202, 250, 106, 129, 7, 202, 250, 13, 86, 15, 130 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 3B 32 6D 69 44 F4 D7 0B BE 9B ...7..;2miD.....
0010: 29 90 63 64 33 E1 72 71 45 8B B5 CA FA 6A 81 07 ).cd3.rqE....j..
0020: CA FA 0D 56 0F 82 00 00 10 00 05 00 04 00 09 00 ...V............
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
Thread-0, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3B 32 6D .............;2m
0030: 69 44 F4 D7 0B BE 9B 29 90 63 64 33 E1 72 71 45 iD.....).cd3.rqE
0040: 8B B5 CA FA 6A 81 07 CA FA 0D 56 0F 82 ....j.....V..
Thread-0, WRITE: SSL v2, contentType = 22, translated length = 16310
Thread-0, READ: SSL v3.0 Handshake, length = 921
*** ServerHello, v3.0
RandomCookie: GMT: -14136 bytes = { 253, 117, 61, 231, 180, 109, 170, 175, 176, 148, 88, 197, 137, 35, 155, 38, 76, 37, 145, 203, 228, 204, 192, 114, 252, 112, 5, 175 }
Session ID: {0, 0, 163, 85, 114, 229, 170, 82, 83, 0, 135, 213, 127, 160, 204, 33, 60, 161, 163, 124, 158, 29, 79, 252, 244, 28, 174, 129, 187, 136, 55, 10}
Cipher Suite: { 0, 4 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 00 00 C9 C8 FD 75 3D E7 B4 6D ...F.......u=..m
0010: AA AF B0 94 58 C5 89 23 9B 26 4C 25 91 CB E4 CC ....X..#.&L%....
0020: C0 72 FC 70 05 AF 20 00 00 A3 55 72 E5 AA 52 53 .r.p.. ...Ur..RS
0030: 00 87 D5 7F A0 CC 21 3C A1 A3 7C 9E 1D 4F FC F4 ......!<.....O..
0040: 1C AE 81 BB 88 37 0A 00 04 00 .....7....
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=barrett2.cs.gd-es.com, OU=Engineering, O=Ezenia!, L=Colorado Springs, ST=Colorado, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@6ccc2da6
Validity: [From: Wed Jun 20 12:00:56 MDT 2001,
To: Thu Jun 20 12:00:56 MDT 2002]
Issuer: CN=IWS Development CA, O=cs.gd-es.com, L=Colorado Springs, ST=Colorado, C=US
SerialNumber: [ 3b]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 DF 5E 7B A4 D1 92 66 63 F0 25 C8 5D B4 28 A5 ..^....fc.%.].(.
0010: F7 79 EE EF .y..
]
]
[2]: ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 32 30 30 30 2E 06 03 55 04 19 30 27 30 17 06 .2000...U..0'0..
0010: 08 2B 06 01 05 05 07 02 02 30 0B 30 07 16 00 30 .+.......0.0...0
0020: 03 02 01 01 1A 00 30 0C 06 08 2B 06 01 05 05 07 ......0...+.....
0030: 02 01 16 00 ....
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 07 5A F4 1F 96 F1 3B 65 0A FA 9E DD BA 38 7E 11 .Z....;e.....8..
0010: 68 93 D0 40 h..@
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 3C 30 3A 30 38 A0 36 A0 34 86 32 68 74 74 70 .<0:08.6.4.2http
0010: 3A 2F 2F 73 74 69 6D 65 2E 63 73 2E 67 64 2D 65 ://stime.cs.gd-e
0020: 73 2E 63 6F 6D 3A 31 30 30 30 37 2F 63 6F 6D 65 s.com:10007/come
0030: 47 65 74 59 65 72 43 52 4C 73 48 65 72 65 GetYerCRLsHere
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 42 20 BA E2 16 D5 7F 00 05 A6 A8 63 75 38 73 81 B .........cu8s.
0010: 22 FC 5C 47 54 24 A7 2C 78 BB 0A 97 34 CD 26 C7 ".\GT$.,x...4.&.
0020: 1E 02 F4 BD 0E DF 20 87 BF 3F 50 7E CD 4F B4 3D ...... ..?P..O.=
0030: 6C 5F AB 3E 30 CC 07 0D 5C 0D 5E 8D 42 7A DE BC l_.>0...\.^.Bz..
0040: 95 6E E0 E3 EE AA 35 D2 9B 35 46 73 31 1A F8 AF .n....5..5Fs1...
0050: 95 F1 6A 63 88 B1 34 38 CE FD 9E 30 D5 6F 41 58 ..jc..48...0.oAX
0060: A8 B3 91 EF D1 77 9C 32 48 9F 06 BB 2C 0D A7 57 .....w.2H...,..W
0070: 69 90 41 1C 10 C8 DC AB B5 12 81 17 73 1E 28 35 i.A.........s.(5
]
***
add missing root cert: [
[
Version: V3
Subject: CN=IWS Development CA, O=cs.gd-es.com, L=Colorado Springs, ST=Colorado, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@12002da6
Validity: [From: Thu Dec 07 00:00:00 MST 2000,
To: Tue Dec 07 00:00:00 MST 2032]
Issuer: CN=IWS Development CA, O=cs.gd-es.com, L=Colorado Springs, ST=Colorado, C=US
SerialNumber: [ 01]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 07 5A F4 1F 96 F1 3B 65 0A FA 9E DD BA 38 7E 11 .Z....;e.....8..
0010: 68 93 D0 40 h..@
]
]
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
Object Signing CA]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 07 5A F4 1F 96 F1 3B 65 0A FA 9E DD BA 38 7E 11 .Z....;e.....8..
0010: 68 93 D0 40 h..@
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: undefined
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 4D 27 C8 51 99 07 0B 6E 4C F1 FF 4B F1 AB 98 DD M'.Q...nL..K....
0010: 67 4C C3 C1 18 36 3D FF F1 91 9D E9 8C 1D 16 DB gL...6=.........
0020: B6 7D 7B 23 A3 2E 06 53 B1 8A B0 F2 0D 63 42 D7 ...#...S.....cB.
0030: 85 26 6C D3 5D CD D5 8A 80 FC 97 D3 1B 40 E7 FB .&l.]........@..
0040: C8 29 0C 7A 70 D2 7C AF 35 C7 A0 07 AB A9 C8 E9 .).zp...5.......
0050: 86 5A 1C 05 56 4F 37 D2 62 5E 27 76 E8 18 52 DB .Z..VO7.b^'v..R.
0060: F1 E8 0B D6 8A FF E1 54 C5 06 0B 82 D3 8E 8F 71 .......T.......q
0070: F3 C1 AD 5E E7 25 3F C5 FE 55 BD 52 C2 7A AD A0 ...^.%?..U.R.z..
]
failed critical extension check: java.lang.Exception: Wrong key usage
Thread-0, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
Thread-0, WRITE: SSL v3.0 Alert, length = 2
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at infoworkspace.util.Parameters.load(Unknown Source)
at infoworkspace.client.ServerProperties.<init>(Unknown Source)
at infoworkspace.client.ClientConfiguration.getServerProperties(Unknown Source)
at infoworkspace.client.
at infoworkspace.security.authenticationui.AuthenticationClient.startAuthentication(Unknown Source)
at infoworkspace.security.authenticationui.AuthenticationClient.<init>(Unknown Source)
at infoworkspace.client.clientmanager.Client.logon(Unknown Source)
at infoworkspace.client.clientmanager.Client$3.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
TESTCASEEND
Name: krC82822 Date: 03/20/2001
java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0)
Java HotSpot(TM) Client VM (build 1.3.0, mixed mode)
The method X509TrustManager.isServerTrusted incorrectly rejects a server
certificate.
Running with debugging indicates the following error:
failed critical extension check: java.lang.Exception: Wrong key usage
main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.1 Alert, length = 2
The method requires that the certificate' s key usage, if present, includes
digitalSignature. Server certificates are not used for signing. They should
have keyEncipherment set as their key usage. This is stated in the TLS spec as
well as Netscape's certificate specification.
(Review ID: 119099)
======================================================================
ck.prasad@eng 2001-06-21
Customer Problem Description:
-----------------------------
One of our Department of Defense customers is currently having problems related to BugID 4427888. Their organization is serviced by a CA which issues X509 SSL Server certificates (server has an RSA key) with the following v3 extension:
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_Encipherment
]
As BugID 4427888 correctly points out, JSSE 1.0.2 will not trust such a server even though every other trust criterion (eg: client trusts the server's root CA, dates are valid, subject and hostname matches, et cetera) is satisfied. Instead, JSSE requires digitalSignature in critical keyUsage extensions even though this usage is not required in either the SSL v3.0 protocol or the TLS v1.0 protocol.
We are expecting many other Department of Defense customers will run into the same difficulty as our current customer. For example, the attached newsgroup posting (at the end of this description) is from an individual in a completely different organization and with a different CA than our customer. Even so, he is having the same problem. As such, requesting our current and future customers to modify their CA policies is not feasible, especially when their policies conform to the requirements of RFC 2246, para. 7.4.2.
=-=-=-=-= BEGIN comp.lang.java.security posting =-=-=-=-=
Thread Title: "Using https in java application"
Post Date: 2001-03-20
URL: http://groups.google.com/groups?hl=en&lr=&safe=off&ic=1&th=b54b0db7567815f1,3&seekm=00000008.58e87553%40usw-ex0108-192.remarq.com#p
I am attempting to connect to a web server that is using https
and http authentication. The particular URL I am trying to
connect to returns an XML document. I have successfully
established a connection to this server using IE. Once connected
in IE, I selected the lock icon and added the certificate
associated with the URL to IEs certificates.
I have attempted to export this certificate in both Base64 and
Binary X509 format and added it to my local .keystore using
keytool. Unfortunately when I try to connect to this site from a
Java application I get the following error:
failed critical extension check: java.lang.Exception: Wrong key usage
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:230)
at httpclient.URLReader.main(URLReader.java:69)
I have turned the debugging on for JSSE and I noticed that there
is a compliant about the certificate. Details below:
adding as trusted cert: [
[
Version: V3
Subject: CN=scwc17.scott.af.mil, OU=USAF, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@67e89
Validity: [From: Mon Jun 26 18:12:46 EDT 2000,
To: Fri Jun 27 18:12:46 EDT 2003]
Issuer: CN=Med CA-2, OU=PKI, OU=DoD, O=U.S. Government, C=US
SerialNumber: [ 2458]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 96 80 87 61 C4 88 5A A4 E2 A0 08 3A 0E 92 39
AD ...a..Z....:..9.
0010: A6 68 40 3C .h@<
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 09 BC 11 2B 3B 65 79 47 D6 73 63 DC 07 37 69
16 ...+;eyG.sc..7i.
0010: 34 CF 35 85 4.5.
]
]
[3]: ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0F 30 0D 30 0B 06 09 60 86 48 01 65 02 01
0B ..0.0...`.H.e...
0010: 03
...
Notice the unknown DER encoded OCTET string message.
Any help on this problem would be greatly appreciated.
=-=-=-=-= END comp.lang.java.security posting =-=-=-=-=
TESTCASEBEGIN
Server: iPlanet Web Server 4.2 on Windows NT 4.0 SP6a
Client: JRE 1.2.2-006, JSSE 1.0.2, Windows 2000 SP1
jre\1.2\bin\java.exe -version
java version "1.2.2"
Classic VM (build JDK-1.2.2_006, native threads, symcjit)
With the above configuration, here is the client's JSSE debug at the initiation of the SSL session:
*** ClientHello, v3.1
RandomCookie: GMT: 993160553 bytes = { 68, 244, 215, 11, 190, 155, 41, 144, 99, 100, 51, 225, 114, 113, 69, 139, 181, 202, 250, 106, 129, 7, 202, 250, 13, 86, 15, 130 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 3B 32 6D 69 44 F4 D7 0B BE 9B ...7..;2miD.....
0010: 29 90 63 64 33 E1 72 71 45 8B B5 CA FA 6A 81 07 ).cd3.rqE....j..
0020: CA FA 0D 56 0F 82 00 00 10 00 05 00 04 00 09 00 ...V............
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
Thread-0, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3B 32 6D .............;2m
0030: 69 44 F4 D7 0B BE 9B 29 90 63 64 33 E1 72 71 45 iD.....).cd3.rqE
0040: 8B B5 CA FA 6A 81 07 CA FA 0D 56 0F 82 ....j.....V..
Thread-0, WRITE: SSL v2, contentType = 22, translated length = 16310
Thread-0, READ: SSL v3.0 Handshake, length = 921
*** ServerHello, v3.0
RandomCookie: GMT: -14136 bytes = { 253, 117, 61, 231, 180, 109, 170, 175, 176, 148, 88, 197, 137, 35, 155, 38, 76, 37, 145, 203, 228, 204, 192, 114, 252, 112, 5, 175 }
Session ID: {0, 0, 163, 85, 114, 229, 170, 82, 83, 0, 135, 213, 127, 160, 204, 33, 60, 161, 163, 124, 158, 29, 79, 252, 244, 28, 174, 129, 187, 136, 55, 10}
Cipher Suite: { 0, 4 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 00 00 C9 C8 FD 75 3D E7 B4 6D ...F.......u=..m
0010: AA AF B0 94 58 C5 89 23 9B 26 4C 25 91 CB E4 CC ....X..#.&L%....
0020: C0 72 FC 70 05 AF 20 00 00 A3 55 72 E5 AA 52 53 .r.p.. ...Ur..RS
0030: 00 87 D5 7F A0 CC 21 3C A1 A3 7C 9E 1D 4F FC F4 ......!<.....O..
0040: 1C AE 81 BB 88 37 0A 00 04 00 .....7....
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=barrett2.cs.gd-es.com, OU=Engineering, O=Ezenia!, L=Colorado Springs, ST=Colorado, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@6ccc2da6
Validity: [From: Wed Jun 20 12:00:56 MDT 2001,
To: Thu Jun 20 12:00:56 MDT 2002]
Issuer: CN=IWS Development CA, O=cs.gd-es.com, L=Colorado Springs, ST=Colorado, C=US
SerialNumber: [ 3b]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 DF 5E 7B A4 D1 92 66 63 F0 25 C8 5D B4 28 A5 ..^....fc.%.].(.
0010: F7 79 EE EF .y..
]
]
[2]: ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 32 30 30 30 2E 06 03 55 04 19 30 27 30 17 06 .2000...U..0'0..
0010: 08 2B 06 01 05 05 07 02 02 30 0B 30 07 16 00 30 .+.......0.0...0
0020: 03 02 01 01 1A 00 30 0C 06 08 2B 06 01 05 05 07 ......0...+.....
0030: 02 01 16 00 ....
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 07 5A F4 1F 96 F1 3B 65 0A FA 9E DD BA 38 7E 11 .Z....;e.....8..
0010: 68 93 D0 40 h..@
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 3C 30 3A 30 38 A0 36 A0 34 86 32 68 74 74 70 .<0:08.6.4.2http
0010: 3A 2F 2F 73 74 69 6D 65 2E 63 73 2E 67 64 2D 65 ://stime.cs.gd-e
0020: 73 2E 63 6F 6D 3A 31 30 30 30 37 2F 63 6F 6D 65 s.com:10007/come
0030: 47 65 74 59 65 72 43 52 4C 73 48 65 72 65 GetYerCRLsHere
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 42 20 BA E2 16 D5 7F 00 05 A6 A8 63 75 38 73 81 B .........cu8s.
0010: 22 FC 5C 47 54 24 A7 2C 78 BB 0A 97 34 CD 26 C7 ".\GT$.,x...4.&.
0020: 1E 02 F4 BD 0E DF 20 87 BF 3F 50 7E CD 4F B4 3D ...... ..?P..O.=
0030: 6C 5F AB 3E 30 CC 07 0D 5C 0D 5E 8D 42 7A DE BC l_.>0...\.^.Bz..
0040: 95 6E E0 E3 EE AA 35 D2 9B 35 46 73 31 1A F8 AF .n....5..5Fs1...
0050: 95 F1 6A 63 88 B1 34 38 CE FD 9E 30 D5 6F 41 58 ..jc..48...0.oAX
0060: A8 B3 91 EF D1 77 9C 32 48 9F 06 BB 2C 0D A7 57 .....w.2H...,..W
0070: 69 90 41 1C 10 C8 DC AB B5 12 81 17 73 1E 28 35 i.A.........s.(5
]
***
add missing root cert: [
[
Version: V3
Subject: CN=IWS Development CA, O=cs.gd-es.com, L=Colorado Springs, ST=Colorado, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@12002da6
Validity: [From: Thu Dec 07 00:00:00 MST 2000,
To: Tue Dec 07 00:00:00 MST 2032]
Issuer: CN=IWS Development CA, O=cs.gd-es.com, L=Colorado Springs, ST=Colorado, C=US
SerialNumber: [ 01]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 07 5A F4 1F 96 F1 3B 65 0A FA 9E DD BA 38 7E 11 .Z....;e.....8..
0010: 68 93 D0 40 h..@
]
]
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
Object Signing CA]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 07 5A F4 1F 96 F1 3B 65 0A FA 9E DD BA 38 7E 11 .Z....;e.....8..
0010: 68 93 D0 40 h..@
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: undefined
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 4D 27 C8 51 99 07 0B 6E 4C F1 FF 4B F1 AB 98 DD M'.Q...nL..K....
0010: 67 4C C3 C1 18 36 3D FF F1 91 9D E9 8C 1D 16 DB gL...6=.........
0020: B6 7D 7B 23 A3 2E 06 53 B1 8A B0 F2 0D 63 42 D7 ...#...S.....cB.
0030: 85 26 6C D3 5D CD D5 8A 80 FC 97 D3 1B 40 E7 FB .&l.]........@..
0040: C8 29 0C 7A 70 D2 7C AF 35 C7 A0 07 AB A9 C8 E9 .).zp...5.......
0050: 86 5A 1C 05 56 4F 37 D2 62 5E 27 76 E8 18 52 DB .Z..VO7.b^'v..R.
0060: F1 E8 0B D6 8A FF E1 54 C5 06 0B 82 D3 8E 8F 71 .......T.......q
0070: F3 C1 AD 5E E7 25 3F C5 FE 55 BD 52 C2 7A AD A0 ...^.%?..U.R.z..
]
failed critical extension check: java.lang.Exception: Wrong key usage
Thread-0, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
Thread-0, WRITE: SSL v3.0 Alert, length = 2
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at infoworkspace.util.Parameters.load(Unknown Source)
at infoworkspace.client.ServerProperties.<init>(Unknown Source)
at infoworkspace.client.ClientConfiguration.getServerProperties(Unknown Source)
at infoworkspace.client.
- backported by
-
JDK-2110119 Incorrect key usage check for server certificates
-
- Closed
-