I've got an Android App trying to send HTTPS Requests to a server having a Symantec Class 3 Secure Server CA - G4 signed certificate.
When trying to send a request via the apache http library (I guess this is also true for other HTTP clients) an exception stating "No peer certificate" is thrown. The same requests to the same servers on iOS work fine and even if I connect to the server in chrome, running on the same Android device I'm testing on, it says the certificate is perfectly fine.
Now I heard that Google dropped trust for some Symantec certificates, but as far as I know only the ones with a 1024 bit key. The one in question is signed with a 2048 bit key. And Chrome also accepts it!
I also found this article [1] saying that I need to import the complete keychain as BouncyCastle keystore. The problem here is, that every user specifies the url to their own server, managing their own certificates.
So my question is: Is anybody familiar with this problem and knows a workaround? I found endless of guides showing me how to turn of certificate validation for a request ... but that won't be a solution working for me.
[1] http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/
The problem I actually had was that the server required SNI (Server Name Indication) support on the HTTP client. Androids version of the apache http library does not support SNI. So I had to write my own SSLSocketFactory supporting it.
Related
I'm working with a liferay application that is hosted on a machine at 192.168.1.50:8443 with a self signed certificate (keystore was added to tomcat).
I now want to connect the API to an android app. This connection works in production, but I can't make it work in my local environment, even after accepting the certificate in chrome, and installing it to the android device, it is detected but gives me this error:
SSLPeerUnverifiedException: Hostname 192.168.1.50 not verified
But then it prints out the certificate being used and shows CN:192.168.1.50 and every parameter exactly as I set it. Can anyone give me some pointers of where to go from here? I have already tried everything I can find including injecting customized socket factories, hostname verifiers and SSL contexts.
Any help is appreciated, even if it is a way to trust all certificates I'll take it, I don't care about security, I just need this for development.
I'm currently building a .NET webapi service that is supposed to be used by IBM Notes. The connection in the final product is supposed to be a call from a domino server to the webapi using a java agent over https.
Up until now I've been using http communication between the two, easy enough.
But now I wanted move to https instead, so I created a self-signed certificate and inserted it into IIS using a guide from Jayway.com from Elizabeth Andrews.
After some tweaking I got it working and my self signed certificate is trusted by the os.
The cert is:
SHA512 RSA2048bit
I found this "guide" on how to insert the certificate into the cacerts store in notes:
http://www-01.ibm.com/support/docview.wss?uid=swg21588966
although working on the client and this guide is for server a assumed the jvm would work the same on both.
After this i tried a simple https call inside a java agent in the fashion shown here:
http://www-10.lotus.com/ldd/ddwiki.nsf/dx/Connecting_to_a_Domino_server_over_SSL_in_Java_using_a_self_signed_certificate._
Now my problem is that the code works when run as a java project, but when running the code as a notes agent I get this exception:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: No trusted certificate found
If there is anyone who would like to nudge me in the right direction i would be very grateful.
Your Domino server has a directory called names.nsf in which it stores (inter alias) the credentials it trusts. This natively includes the root certificates of the major certificate vendors such as Verisign & co.
Two options here :
- go pro and buy a certificate from a well-known vendor
- or import your own self-signed certificate in the Domino repository.
I've generated classes from wsdl with wsimport, wsdl location: https://somehost/wsdl. There was no problem with generation.
But when I tried to send soap request, I've received exception:
com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 403: Client certificate required
I find out, surfing the internet, that I have to add certificate in my keystore. I've done it, but this doesn't help.
And I have no idea what to do or even what to google.
Can anybody help me?(
It sounds like a mutual authentication problem.
The server is requiring that your client use a known digital certificate to sign your messages and send that information within the request. It is like a user/password mechanism, but you and the server agree to use a known key-pair for identification.
This situation usually means that the web service server administrator will generate a key-pair and send the private part of the certificate to you.
But you can send the public certificate for him as well if you created it yourself. The server must have access to the public certificate, and it maybe you will have to publish it to a Certification Authority. In some cases it has to be a commercial certificate (you will have to buy it).
You will then use the private key to digitally sign your messages.
I've found some links that may help:
Authentication Mechanisms
Java client for the X.509 secured web-service
Java HTTPS client certificate authentication
If you already did those steps, then something is wrong with your implementation or the certificate/keys provided are invalid.
I recommend you to use a mock server to make sure you are implementing the client authentication properly before you try to connect to the real service. Making it to work locally will set the knowledge you need to call the real functions. You can also ask the web service administrator to send you debug information.
I have java web application which is running on several tomcats behind apache. Application use HTTPS protocol. Some pages from the app include images from sites which use only HTTP protocol. On pages with this images the client's web browser shows message (warning) that despite service is certified correctly some contents are not secure.
What should I do to avoid this message? Should I use some proxy for this images? Can I do something in java code?
Thanks in advance.
You can't do anything nor should you.
The browser is correct in warning the user even though there are no bad intentions here.
Using a proxy could be useful if you're really worried. In that case, the unencrypted connection is between your server and the hosts of the images instead of between the hosts and the user's browser.
Nothing you can do in java.
You need to register your certificate at some official certification authority, you can do that through the registration authorities.
A registration authority (RA) is an authority in a network that
verifies user requests for a digital certificate and tells the
certificate authority (CA) to issue it.
Google it. Of course you'll pay for that.
Also, you can avoid that browser message if manually add your certificate into Trusted Certificate on client machine.
I have a swing application deployed in HTTP Server. Users use the browser to point an URL and install the client using java webstart. Now I need to enable https access to my application deployed on HTTP server. I am using JDK 1.5 as default jdk supported in the jnlp file. For time being I use a self signed certificate to the sign the jars (by default created using Sun's jarsigner, keytool, etc, utils).
Solution/steps would be much appreciated.
Thanks in advance
Ramesh
As far as I understand your question you don't need to change anything to your code of the client. If you only want to give access to the JNLP via HTTPS you would only need to reconfigure the application server distributing the JNLP or if you have a webserver in front of the application server (as we do here: user - https -> apache -> AJP -> tomcat) you need to reconfigure the webserver to allow the access to the JNLP via HTTPS.
You need to enable HTTPS on the web server. To get the certificate you need to provide credentials and the host name of the server to a certificate authority (CA) like VeriSign or Thawte. They can provide you with a server certificate signed by their root certificate or some intermediate certificate. This certificate must then be imported into the web server to enable HTTPS over SSL. The web clients, like a browser or webstart will then verify the certificate chain when accessing the server.
If you use a self signed jar, all your users will be presented with a warning message about potentially unsafe code. To avoid this you should get a code signing certificate from a CA, which would be somewhat similar to the web server certificate. This CA-provided certificate can be imported into the keystore and used in the same way you use the self signed certificate. The code signing certificate will be signed by the CA so that the certificate chain can be verified by webstart.
What is the feature of https that you are hoping to leverage?
The signing/server authentication is done by code signing, though you are undermining this using a self-signed certificate.
Does your application code contain secrets that must be hidden from eavesdroppers?
As you say you "need to enable" there must be an underlying reason.
I believe that before you "need https" you need a proper code signing certificate. You might want to rephrase your question so that your underlying problem can be solved instead of the very specific question.