[Novalug] Java 7 SSL problem (self-signed CA + certs)

Dan Lavu dan@lavu.net
Wed Nov 21 08:48:33 EST 2012


I haven't had time to really look at this but are you using the -trustcacert flag when importing your ca vert?

On Nov 20, 2012, at 5:34 PM, rarob@travelinglightfarm.net wrote:

> Time to cry "UNCLE!"
>  I've been pulling my hair out trying to figure out why my app works with
> Java 6 (both openjdk and Oracle) but not Java 7.  My app has two pieces,
> a webside (Groovy/Grails under Tomcat 6) and an Agent side (C++ with
> gSOAP).  We're using a self-signed CA to sign certs for both sides. 
> Both sides act as server/client, but we're using mutual authentication
> only when the webside is connecting to the Agent side.  This is
> partially because we're using the same port for browsers to talk with
> the webside as well as the Agent to return results.
>  Things work under Java 1.6, but when I try using Java 1.7 the webside is
> unable to connect to the Agent side.  Instead we get an exception about
> "Path does not chain with any of the trust anchors".  I've verified that
> the problem is limited to the mutual authentication step only.  The
> Agent can connect just fine to the webapp.  If I use 'openssl s_client'
> with the appropriate cert/key/CAfile to just connect with the Agent all
> is well also.
> 
>  I've reduced the problems down to a simple example replicating the
> problem, and have attached that tarball.  The directory has a Java
> client (based on the EchoClient code from
> http://stilius.net/java/java_ssl.php), and a dirt simple python server
> side (cobbled together looking at several on-line tutorials), and a
> simple script that replicates how we generate the SSL certificates. 
> Note the python side requires python 2.6 to use the ssl module.  There
> is a readme file on how to run the tests.  The setVars.sh file can be
> used to alter the Java version, but the server.py and EchoClient.java
> files need to be altered to change the ip address and port numbers used
> (127.0.0.1 and 8765 by default).
> 
>  I would appreciate any and all who are willing to look at my example and
> tell me if I'm doing something wrong.  My google-fu seems to be lacking
> in finding a solution.  Most of the solutions say to import the CAfile
> into my truststore, but I've done that.  I've seen one almost website
> that sounds almost exactly like this problem, but the solution of
> changing the keyUsage field in the openssl.cnf file did not work
> (http://stackoverflow.com/questions/11153058/java7-refusing-to-trust-certificate-in-trust-store).
> 
>  I'm seeing this behavior under Fedora 12, RHEL5.8, RHEL6, using several
> different versions of the Java 1.6 SDK from Oracle.
> <SSL_problem2.tgz>_______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug




More information about the Novalug mailing list