[Novalug] Java 7 SSL problem (self-signed CA + certs)
Dan Lavu
dan@lavu.net
Wed Nov 21 08:48:33 EST 2012
I haven't had time to really look at this but are you using the -trustcacert flag when importing your ca vert?
On Nov 20, 2012, at 5:34 PM, rarob@travelinglightfarm.net wrote:
> Time to cry "UNCLE!"
> I've been pulling my hair out trying to figure out why my app works with
> Java 6 (both openjdk and Oracle) but not Java 7. My app has two pieces,
> a webside (Groovy/Grails under Tomcat 6) and an Agent side (C++ with
> gSOAP). We're using a self-signed CA to sign certs for both sides.
> Both sides act as server/client, but we're using mutual authentication
> only when the webside is connecting to the Agent side. This is
> partially because we're using the same port for browsers to talk with
> the webside as well as the Agent to return results.
> Things work under Java 1.6, but when I try using Java 1.7 the webside is
> unable to connect to the Agent side. Instead we get an exception about
> "Path does not chain with any of the trust anchors". I've verified that
> the problem is limited to the mutual authentication step only. The
> Agent can connect just fine to the webapp. If I use 'openssl s_client'
> with the appropriate cert/key/CAfile to just connect with the Agent all
> is well also.
>
> I've reduced the problems down to a simple example replicating the
> problem, and have attached that tarball. The directory has a Java
> client (based on the EchoClient code from
> http://stilius.net/java/java_ssl.php), and a dirt simple python server
> side (cobbled together looking at several on-line tutorials), and a
> simple script that replicates how we generate the SSL certificates.
> Note the python side requires python 2.6 to use the ssl module. There
> is a readme file on how to run the tests. The setVars.sh file can be
> used to alter the Java version, but the server.py and EchoClient.java
> files need to be altered to change the ip address and port numbers used
> (127.0.0.1 and 8765 by default).
>
> I would appreciate any and all who are willing to look at my example and
> tell me if I'm doing something wrong. My google-fu seems to be lacking
> in finding a solution. Most of the solutions say to import the CAfile
> into my truststore, but I've done that. I've seen one almost website
> that sounds almost exactly like this problem, but the solution of
> changing the keyUsage field in the openssl.cnf file did not work
> (http://stackoverflow.com/questions/11153058/java7-refusing-to-trust-certificate-in-trust-store).
>
> I'm seeing this behavior under Fedora 12, RHEL5.8, RHEL6, using several
> different versions of the Java 1.6 SDK from Oracle.
> <SSL_problem2.tgz>_______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
More information about the Novalug
mailing list