I have a REST server made in Grizzly that uses HTTPS and works wonderfully with Firefox. Here's the code:
//Build a new Servlet Adapter.
ServletAdapter adapter=new ServletAdapter();
adapter.addInitParameter("com.sun.jersey.config.property.packages", "My.services");
adapter.addInitParameter(ResourceConfig.PROPERTY_CONTAINER_REQUEST_FILTERS, SecurityFilter.class.getName());
adapter.setContextPath("/");
adapter.setServletInstance(new ServletContainer());
//Configure SSL (See instructions at the top of this file on how these files are generated.)
SSLConfig ssl=new SSLConfig();
String keystoreFile=Main.class.getResource("resources/keystore_server.jks").toURI().getPath();
System.out.printf("Using keystore at: %s.",keystoreFile);
ssl.setKeyStoreFile(keystoreFile);
ssl.setKeyStorePass("asdfgh");
//Build the web server.
GrizzlyWebServer webServer=new GrizzlyWebServer(getPort(9999),".",true);
//Add the servlet.
webServer.addGrizzlyAdapter(adapter, new String[]{"/"});
//Set SSL
webServer.setSSLConfig(ssl);
//Start it up.
System.out.println(String.format("Jersey app started with WADL available at "
+ "%sapplication.wadl\n",
"https://localhost:9999/"));
webServer.start();
Now, I try to reach it in Java:
SSLContext ctx=null;
try {
ctx = SSLContext.getInstance("SSL");
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
}
ClientConfig config=new DefaultClientConfig();
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(null,ctx));
WebResource service=Client.create(new DefaultClientConfig()).resource("https://localhost:9999/");
//Attempt to view the user's page.
try{
service
.path("user/"+username)
.get(String.class);
}
And get:
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:128)
at com.sun.jersey.api.client.Client.handle(Client.java:453)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:557)
at com.sun.jersey.api.client.WebResource.get(WebResource.java:179)
From examples that I've found on the web, it seems like I would need to setup a Truststore then setup some sort of TrustManager. This seems like a lot of code and setup work for my simple little project. Is there an easier way to just say..I trust this cert and point to a .cert file?
When you say "is there an easier way to... trust this cert", that's exactly what you're doing by adding the cert to your Java trust store. And this is very, very easy to do, and there's nothing you need to do within your client app to get that trust store recognized or utilized.
On your client machine, find where your cacerts file is (that's your default Java trust store, and is, by default, located at <java-home>/lib/security/certs/cacerts.
Then, type the following:
keytool -import -alias <Name for the cert> -file <the .cer file> -keystore <path to cacerts>
That will import the cert into your trust store, and after this, your client app will be able to connect to your Grizzly HTTPS server without issue.
If you don't want to import the cert into your default trust store -- i.e., you just want it to be available to this one client app, but not to anything else you run on your JVM on that machine -- then you can create a new trust store just for your app. Instead of passing keytool the path to the existing, default cacerts file, pass keytool the path to your new trust store file:
keytool -import -alias <Name for the cert> -file <the .cer file> -keystore <path to new trust store>
You'll be asked to set and verify a new password for the trust store file. Then, when you start your client app, start it with the following parameters:
java -Djavax.net.ssl.trustStore=<path to new trust store> -Djavax.net.ssl.trustStorePassword=<trust store password>
Easy cheesy, really.
Here's the painful route:
SSLContext ctx = null;
try {
KeyStore trustStore;
trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("C:\\truststore_client"),
"asdfgh".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory
.getInstance("SunX509");
tmf.init(trustStore);
ctx = SSLContext.getInstance("SSL");
ctx.init(null, tmf.getTrustManagers(), null);
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
ClientConfig config = new DefaultClientConfig();
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES,
new HTTPSProperties(null, ctx));
WebResource service = Client.create(config).resource(
"https://localhost:9999/");
service.addFilter(new HTTPBasicAuthFilter(username, password));
// Attempt to view the user's page.
try {
service.path("user/" + username).get(String.class);
} catch (Exception e) {
e.printStackTrace();
}
Gotta love those six different caught exceptions :). There are certainly some refactoring to simplify the code a bit. But, I like delfuego's -D options on the VM. I wish there was a javax.net.ssl.trustStore static property that I could just set. Just two lines of code and done. Anyone know where that would be?
This may be too much to ask, but, ideally the keytool would not be used. Instead, the trustedStore would be created dynamically by the code and the cert is added at runtime.
There must be a better answer.
Something to keep in mind is that this error isn't only due to self signed certs. The new Entrust CA certs fail with the same error, and the right thing to do is to update the server with the appropriate root certs, not to disable this important security feature.
Check this out: http://code.google.com/p/resting/. I could use resting to consume
HTTPS REST services.
The answer of delfuego is the simplest way to solve the certificate problem. But, in my case, one of our third party url (using https), updated their certificate every 2 months automatically. It means that I have to import the cert to our Java trust store manually every 2 months as well. Sometimes it caused production problems.
So, I made a method to solve it with SecureRestClientTrustManager to be able to consume https url without importing the cert file.
Here is the method:
public static String doPostSecureWithHeader(String url, String body, Map headers)
throws Exception {
log.info("start doPostSecureWithHeader " + url + " with param " + body);
long startTime;
long endTime;
startTime = System.currentTimeMillis();
Client client;
client = Client.create();
WebResource webResource;
webResource = null;
String output = null;
try{
SSLContext sslContext = null;
SecureRestClientTrustManager secureRestClientTrustManager = new SecureRestClientTrustManager();
sslContext = SSLContext.getInstance("SSL");
sslContext
.init(null,
new javax.net.ssl.TrustManager[] { secureRestClientTrustManager },
null);
DefaultClientConfig defaultClientConfig = new DefaultClientConfig();
defaultClientConfig
.getProperties()
.put(com.sun.jersey.client.urlconnection.HTTPSProperties.PROPERTY_HTTPS_PROPERTIES,
new com.sun.jersey.client.urlconnection.HTTPSProperties(
getHostnameVerifier(), sslContext));
client = Client.create(defaultClientConfig);
webResource = client.resource(url);
if(headers!=null && headers.size()>0){
for (Map.Entry entry : headers.entrySet()){
webResource.setProperty(entry.getKey(), entry.getValue());
}
}
WebResource.Builder builder =
webResource.accept("application/json");
if(headers!=null && headers.size()>0){
for (Map.Entry entry : headers.entrySet()){
builder.header(entry.getKey(), entry.getValue());
}
}
ClientResponse response = builder
.post(ClientResponse.class, body);
output = response.getEntity(String.class);
}
catch(Exception e){
log.error(e.getMessage(),e);
if(e.toString().contains("One or more of query value parameters are null")){
output="-1";
}
if(e.toString().contains("401 Unauthorized")){
throw e;
}
}
finally {
if (client!= null) {
client.destroy();
}
}
endTime = System.currentTimeMillis();
log.info("time hit "+ url +" selama "+ (endTime - startTime) + " milliseconds dengan output = "+output);
return output;
}
Related
For some reasons Parse users must migrate their Parse environment to a VPS (this is the case for my question) or Heroku, AWS (don't need these platforms), etc. There is a new Parse SDK for Android (1.13.0) which allows to initialize connection using the new Parse interface, as follows:
Parse.initialize(new Parse.Configuration.Builder(this)
.applicationId("myAppId")
.clientKey(null)
.addNetworkInterceptor(new ParseLogInterceptor())
.server("https://VPS_STATIC_IP_ADDRESS/parse/").build());
This kind of request is done using the port 443. The appropriate .js (nodejs) connector file has already been edited so that port 443 is locally connected to port 1337 (port-listener) and it works when accessing Parse Server in browser (remotely, of course: from outside VPS) where it's possible to apply a self-signed certificate and go further. But when an Android app (launcher) tries to connect it, it cannot because of self-signed certificate. Is there any possibility from within Parse SDK to apply a self-signed certificate?
P.S. Is it true that there's a bug concerning this issue and that this is the reason why 1.13.1 Parse version has been released? If yes, where is it possible to get the jar-library of this version?
Thank you!
I just solved this one -
Parse SDK for android does not come with out of the box support in SelfSigned certificates.
You need to modify the code yourself.
First Step - The relevant piece of code is in ParseHttpClient
public static ParseHttpClient createClient(int socketOperationTimeout,
SSLSessionCache sslSessionCache) {
String httpClientLibraryName;
ParseHttpClient httpClient;
if (hasOkHttpOnClasspath()) {
httpClientLibraryName = OKHTTP_NAME;
httpClient = new ParseOkHttpClient(socketOperationTimeout, sslSessionCache);
} else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
httpClientLibraryName = URLCONNECTION_NAME;
httpClient = new ParseURLConnectionHttpClient(socketOperationTimeout, sslSessionCache);
} else {
httpClientLibraryName = APACHE_HTTPCLIENT_NAME;
httpClient = new ParseApacheHttpClient(socketOperationTimeout, sslSessionCache);
}
PLog.i(TAG, "Using " + httpClientLibraryName + " library for networking communication.");
return httpClient; }
If your target support is for version more advanced then KITKAT -
Then you need to add in ParseURLConnectionHttpClient constructor:
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){
public boolean verify(String hostname, SSLSession session) {
if(hostname.equals("YOUR TARGET SERVER")) {
return true;
}
return false;
}});
In other cases (older versions) the code will fall to the Apache, I was not able to work with it- so I did the following: I added the okhttp library to my app (take version 2.4 - the same one parse indicates in the build , the most recent has different package name) and then the code will step into the first condition since it will find okhttp on the Path.
You should probably replace the if conditions order so it will happen only on versions less then KITKAT.
In ParseOkHttpClient add the following selfsigned certificate code:
public void initCert() {
try {
Log.i("PARSE","initCert");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
String yairCert = "-----BEGIN CERTIFICATE-----\n" +
YOUR CERTIFICATE HERE
"-----END CERTIFICATE-----\n";
InputStream caInput = new ByteArrayInputStream(yairCert.getBytes());
Certificate ca = null;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} catch (CertificateException e) {
e.printStackTrace();
} finally {
try {
caInput.close();
} catch (IOException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
}
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
Log.i("PARSE","Initiating Self Signed cert");
okHttpClient.setSslSocketFactory(context.getSocketFactory());
try {
cf = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
}
} catch (IOException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
} catch (CertificateException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
} catch (KeyStoreException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
} catch (KeyManagementException e) {
Log.e("PARSE_BUG","Failure on Cert installing",e);
e.printStackTrace();
}
And the final part is the calling this method + verifying hostname , it should happen in the Constructor too.
initCert();
okHttpClient.setHostnameVerifier(new HostnameVerifier() {
#Override
public boolean verify(String s, SSLSession sslSession) {
if(s.equals("YOUR TARGET SERVER")) {
return true;
}
return false;
}
});
Thats it. Build PARSE locally and deploy to your app and it will work like a charm.
Enjoy
Good afternoon,
I have a SafeNet 5100 eToken already with a valid certificate in it that I use to access a web application from my company that requires it.
When I try to access the web application using a web browser (like chrome) everything works fine and I have no problem. A dialog from SafeNet opens up, I put in my password and I am able to access the site.
What I'm trying to do now is to access this web application through a java program (I'm programming it using the IDE eclipse) and couldn't find how to do this. Is there any API from SafeNet to do this or any online tutorials?
I was looking at this thread how to use Microsoft Crypto API with USB Dongle following PKCS#11, but couldn't understand how this CryptoAPI CSP works. Any help is appreciated.
Thank you
I found out how to do this thanks to these two threads:
How to get KeyStore from usb token in Java
java keytool with opensc pkcs#11 provider only works with debug option enabled
And this website:
Pdf Signing Using eToken in java
First, if the website has a certificate java doesn't trust by default you have to create a trustStore and load it to java's System properties. you can see how to do it in here:
Oracle - Generating a KeyStore and TrustStore (using keytool)
Than you have to find where the PKCS#11 library used for your smartCard/eToken is installed in your computer, in mine it is in "C:\Windows\System32\eTPKCS11.dll". Then create a .cfg file like this:
name=SafeNet
library=C:\Windows\System32\eTPKCS11.dll
slot=4
Where you give it a name and the path to your PKCS#11 library. Slot is the slot where your eToken/SmartCard is connected (you don't need to set this if you don't want).
Now my code looks like this:
System.setProperty("javax.net.ssl.trustStore", "cfgFiles/trustedHttpsCertificates.truestore");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword", "oiadad");
Provider newProvider = new SunPKCS11("cfgFiles/etpkcs11.cfg");
Security.addProvider(newProvider);
try {
KeyStore keyStore = KeyStore.getInstance("PKCS11");
keyStore.load(null, "".toCharArray());
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore,null);
SSLContext sslContext = SSLContext.getInstance("SSL", "SunJSSE");
sslContext.init(keyFactory.getKeyManagers(), null, null);
sslSocketFactory = sslContext.getSocketFactory();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (NoSuchProviderException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e1) {
e1.printStackTrace();
} catch (KeyManagementException e1) {
e1.printStackTrace();
}
I first tell java where to look for my trustStore. Then I pass the path to my cfg file, create a provider with it and tell security that this new provider exists.
After this I initialize and load a PKCS11 KeyStore giving it a blank password (could pass my real password if I wanted, but this way a SafeNet pop window shows up and asks me for my password).
Then I instantiate a KeyManagerFactory and a SSLSocketFactory. This is the last step to using your eToken to be able to access multi-factor authentication https urls.
Now there's just one more trick to access a protected https website, you have to give the HttpsURLConnection the new SSLSocketFactory. You can do it like this:
try {
HttpsURLConnection conn = (HttpsURLConnection)new URL(<your-https-url-here>).openConnection();
conn.setRequestMethod("GET");
conn.setDoInput(true);
conn.setSSLSocketFactory(sslSocketFactory);
int responseCode = conn.getResponseCode();
System.out.println("RESPONSE: " + responseCode);
InputStream inputstream = conn.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
String line = null;
String htmlResponse = "";
while ((line = bufferedreader.readLine()) != null) {
htmlResponse += line + "\n";
//System.out.println("html: " + line);
}
} catch (ProtocolException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
I hope this helps anyone having problems with eTokens or SmartCards.
I am not SafeNet expert. You may try SAML assertions to login to safeNet. Java has OpenSAML API for generating SAML assertion.
I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL.
I imported certificate of the server to keystore using:
C:\Program Files\Java\jdk1.6.0_32\jre\lib\security>keytool -importcert -trustcacerts -file mycert -alias ca_alias -keystore "c:\Program Files\Java\jdk1.6.0_32\jre\lib\security\cacerts"
When I start Tomcat with SSL debugging turned on, according to logs Tomcat is using the correct certificate file:
trustStore is: C:\Program Files\Java\jdk1.6.0_32\jre\lib\security\cacerts
However, Tomcat does not add the cert I just imported - all other certs in the cacerts file are printed to the log - and connection fails:
handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Restarting Tomcat does not help. I have verified with keytool -list command that the new cert indeed exists on the file.
Why Tomcat keeps on ignoring my new cert?
EDIT:
Seems that the issue was caused by Windows 7 VirtualStore. Keytool created a new copy of the cacert file, and Tomcat used the original file.
JVM needs restart after importing certs to the keystore.
Check to see whether there is a key with the same CN information but a different alias.
I have had similar problems before when I tried to import a newer version of a certificate but left the older version in the keystore. My Java programs would simply find the first matching CN key in the keystore (which was the old expired one) and try to use that, even though there was a newer one which also matched the CN.
Also ensure that the authenticating Root certificate (and Intermediate certificate if applicable) exist in the keystore. If you're authenticating against one of the major security providers such as Verisign or Globalsign, they will usually provide you with the root and intermediate certificates. If these certificates exist in the keystore already, ensure they are still in validity. You need to have all the certificates from your personal certificate all the way down the authentication chain to the root, existing in your keystore, so that it understands how to validate your credentials.
What you described is exactly what I´ve been getting when using cmd.exe and a regular user although member of administrative group on a Windows Server. You have to start cmd.exe in administration mode to apply the changes in to cacerts files. At least on the Win2k8 OS´s.
If you do not do this carets will show you in the keytool.exe -list view the newly added certs but Tomcat won´t see them. Not sure why so. But when you do add it with cmd.exe started as Administrator Tomcat is fine with the newly added certs.
You can also use Djavax.net.debug="ssl,handshake" to see what Tomcat reads from cacerts file.
In my case I looked through so many things before I figured out what was wrong... I added the certificate to different keystores, I added all certificates in the chain (which is pointless btw), I downloaded the cert again for my own sanity and checked the serial number, and even inspected the downloaded cert to make sure it had all the correct information.
I ended up writing a TLS verifying client app in order to debug the issue. Not only did the remote server I was connecting to support only TLS 1.2 (disabled by default in my version of Java 7), the server also supported none of the ciphers that were enabled in my client. It turns out Java 7 had fewer than half of its supported ciphers enabled, many of them being really insecure and some of the most secure ones were disabled.
After some cross-checking, I came up with the following ordered list of TLS 1.2-supported secure ciphers:
new String[] {
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
"TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CCM",
"TLS_DHE_RSA_WITH_AES_128_CCM",
"TLS_DHE_PSK_WITH_AES_256_CCM",
"TLS_DHE_PSK_WITH_AES_128_CCM",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_128_CCM_SHA256"
}
If there are any crypto experts around, feel free to update this list. I used Qualys SSL Labs, this Information Security SE answer, and IANA as my sources.
For those who want a sample of the source code I used, see below. I was using Apache Commons HttpClient 3.0, so you'll probably need to download the following binaries:
https://archive.apache.org/dist/httpcomponents/commons-httpclient/3.0/binary/commons-httpclient-3.0.1.zip
https://archive.apache.org/dist/commons/logging/binaries/commons-logging-1.0.4.zip
https://archive.apache.org/dist/commons/codec/binaries/commons-codec-1.3.zip
https://archive.apache.org/dist/commons/lang/binaries/commons-lang-2.6-bin.zip
TLS12SocketFactory.java
import java.io.*;
import java.net.*;
import java.util.*;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.*;
import org.apache.commons.lang.StringUtils;
public class TLS12SocketFactory implements SecureProtocolSocketFactory {
private final SecureProtocolSocketFactory base;
public TLS12SocketFactory()
{
this.base = (SecureProtocolSocketFactory)Protocol.getProtocol("https").getSocketFactory();
}
private Socket acceptOnlyTLS12(Socket socket)
{
if(socket instanceof javax.net.ssl.SSLSocket) {
final javax.net.ssl.SSLSocket s = (javax.net.ssl.SSLSocket)socket;
// Set TLS 1.2
s.setEnabledProtocols(new String[]{ "TLSv1.2" });
// Using recommended ciphers from https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#table-tls-parameters-4
List<String> recommended = new ArrayList(Arrays.asList(new String[]{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_CCM", "TLS_DHE_RSA_WITH_AES_128_CCM", "TLS_DHE_PSK_WITH_AES_256_CCM", "TLS_DHE_PSK_WITH_AES_128_CCM", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_AES_128_CCM_SHA256" }));
recommended.retainAll(Arrays.asList(s.getSupportedCipherSuites()));
if(recommended.size() == 0) {
System.err.println("No supported modern ciphers. Update crypto policy or install JCE Unlimited Strength Jurisdiction Policy files." + System.lineSeparator());
} else if(recommended.size() < 3) {
System.out.println("Few supported modern ciphers. It's recommended to update crypto policy or install JCE Unlimited Strength Jurisdiction Policy files." + System.lineSeparator());
}
s.setEnabledCipherSuites(recommended.toArray(new String[0]));
// Log matched cipher and cert
s.addHandshakeCompletedListener(new javax.net.ssl.HandshakeCompletedListener() {
#Override
public void handshakeCompleted(javax.net.ssl.HandshakeCompletedEvent hce) {
String print = s.getInetAddress().getHostName() + System.lineSeparator() + hce.getCipherSuite() + System.lineSeparator();
try {
for(java.security.cert.Certificate cert : hce.getPeerCertificates()) {
List<String> certStrings = Arrays.asList(cert.toString().split("\r?\n"));
for(int line = 0; line < certStrings.size(); line++) {
if(certStrings.get(line).startsWith("Certificate Extensions:")) {
print += System.lineSeparator() + StringUtils.join(certStrings.subList(2, line-1), System.lineSeparator()) + System.lineSeparator();
break;
}
}
}
} catch (javax.net.ssl.SSLPeerUnverifiedException ex) {
print += "Non-certificate based cipher used" + System.lineSeparator();
}
System.out.println(print);
}
});
}
return socket;
}
#Override
public Socket createSocket(String host, int port) throws IOException
{
return acceptOnlyTLS12(base.createSocket(host, port));
}
#Override
public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException
{
return acceptOnlyTLS12(base.createSocket(host, port, localAddress, localPort));
}
#Override
public Socket createSocket(String host, int port, InetAddress localAddress, int localPort, HttpConnectionParams params) throws IOException
{
return acceptOnlyTLS12(base.createSocket(host, port, localAddress, localPort, params));
}
#Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException
{
return acceptOnlyTLS12(base.createSocket(socket, host, port, autoClose));
}
}
Main.java
import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import org.apache.commons.httpclient.protocol.Protocol;
import org.apache.commons.httpclient.*;
import org.apache.commons.httpclient.cookie.CookiePolicy;
import org.apache.commons.httpclient.methods.*;
import org.apache.commons.httpclient.params.HttpClientParams;
public class Main {
public static void main(String[] args) {
List<java.net.URI> locations = new ArrayList<>();
for(String arg : args) {
java.net.URI location = java.net.URI.create(arg);
if(location.isAbsolute() && location.getScheme().equals("https")) {
locations.add(location);
} else {
System.out.println("Skipping invalid URL: " + arg);
}
}
System.out.println("Connecting to URL's");
System.out.println();
System.out.println("-------------------------");
TLS12SocketFactory tls12factory = new TLS12SocketFactory();
Protocol.registerProtocol("httpss", new Protocol("httpss", tls12factory, 443));
for(java.net.URI location : locations) {
System.out.println();
try {
// Form request
String tls12url = location.toString().replaceFirst("^https:", "httpss:");
HttpMethod method = new HeadMethod(tls12url);
// Send request
HttpClientParams params = new HttpClientParams();
params.setParameter(HttpClientParams.COOKIE_POLICY, CookiePolicy.IGNORE_COOKIES);
new HttpClient(params).executeMethod(method);
method.setFollowRedirects(true);
// Print response
System.out.println(location.toString());
System.out.println(method.getStatusLine().toString());
} catch (javax.net.ssl.SSLHandshakeException ex) {
System.out.println("There was an error making a secure connection to " + location.getHost());
ex.printStackTrace(System.out);
} catch (HttpException ex) {
System.out.println("There was an error with the external webpage");
ex.printStackTrace(System.out);
} catch (Exception ex) {
System.out.println("Could not complete request");
ex.printStackTrace(System.out);
}
}
System.out.println();
System.out.println("-------------------------");
System.out.println();
try {
// Load supported SSL Ciphers
System.out.println("Supported ciphers");
System.out.println();
System.out.println("-------------------------");
System.out.println();
javax.net.ssl.SSLSocket socket = (javax.net.ssl.SSLSocket)tls12factory.createSocket("www.google.com", 443);
for(String cipher : socket.getSupportedCipherSuites()) {
System.out.println(cipher);
}
System.out.println();
System.out.println("-------------------------");
System.out.println();
// Load enabled SSL Ciphers
System.out.println("Enabled ciphers");
System.out.println();
System.out.println("-------------------------");
System.out.println();
for(String cipher : socket.getEnabledCipherSuites()) {
System.out.println(cipher);
}
System.out.println();
System.out.println("-------------------------");
System.out.println();
// Load the JDK's cacerts keystore file
String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
System.out.println("Loading keystore");
System.out.println(filename);
System.out.println();
System.out.println("-------------------------");
System.out.println();
FileInputStream is = new FileInputStream(filename);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "changeit";
keystore.load(is, password.toCharArray());
// This class retrieves the most-trusted CAs from the keystore
PKIXParameters params = new PKIXParameters(keystore);
// Get the set of trust anchors, which contain the most-trusted CA certificates
for (TrustAnchor ta : params.getTrustAnchors()) {
// Print certificate
System.out.println(ta.getTrustedCert());
}
} catch (CertificateException | KeyStoreException | NoSuchAlgorithmException | InvalidAlgorithmParameterException | IOException ex) {
System.out.println("Could not load keystore");
ex.printStackTrace(System.out);
}
}
}
This question already has answers here:
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 2 years ago.
I received this error while trying to start up an application:
Sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: java.net.UnknownHostException:oscp.thawte.com
The application is behind a closed network and won't ever be able to get to oscp.thawte.com. Is there a java setting that can disable this?
-Dcom.sun.net.ssl.checkRevocation=false
Not exactly a setting but you can override the default TrustManager and HostnameVerifier to accept anything. Not a safe approach but in your situation, it can be acceptable.
Complete example : Fix certificate problem in HTTPS
In addition to the answers above. You can do it programmatically by implementing the TrustManager:
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
#Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {}
#Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {}
}
};
SSLContext sc=null;
try {
sc = SSLContext.getInstance("SSL");
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
try {
sc.init(null, trustAllCerts, new java.security.SecureRandom());
} catch (KeyManagementException e) {
e.printStackTrace();
}
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier validHosts = new HostnameVerifier() {
#Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
};
// All hosts will be valid
HttpsURLConnection.setDefaultHostnameVerifier(validHosts);
However this is not a good practice for production.
This example on How to disable SSL certificat validation in Java contains a utility class you can copy in your project.
Use cli utility keytool from java software distribution for import (and trust!) needed certificates
Sample:
From cli change dir to jre\bin
Check keystore (file found in jre\bin directory)
keytool -list -keystore ..\lib\security\cacerts
Enter keystore password: changeit
Download and save all certificates chain from needed server.
Add certificates (before need to remove "read-only" attribute on file "..\lib\security\cacerts")
keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore ..\lib\security\cacerts -file "r:\root.crt"
accidentally I found such a simple tip.
Other solutions require the use of InstallCert.Java and JDK
source: http://www.java-samples.com/showtutorial.php?tutorialid=210
On my Mac that I'm sure I'm not going to allow java anyplace other than a specific site, I was able to use Preferences->Java to bring up the Java control panel and turned the checking off. If DLink ever fixes their certificate, I'll turn it back on.
In Axis webservice and if you have to disable the certificate checking then use below code:
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
It is very simple .In my opinion it is the best way for everyone
Unirest.config().verifySsl(false);
HttpResponse<String> response = null;
try {
Gson gson = new Gson();
response = Unirest.post("your_api_url")
.header("Authorization", "Basic " + "authkey")
.header("Content-Type", "application/json")
.body("request_body")
.asString();
System.out.println("------RESPONSE -------"+ gson.toJson(response.getBody()));
} catch (Exception e) {
System.out.println("------RESPONSE ERROR--");
e.printStackTrace();
}
}
I've setup a self-signed certificate to test an ssl java connection - however, it is refusing to locate the java trustStore. I've saved copies of it in /Java/jre6/lib/security in addition to the folder where the classes are compiled to (im using netbeans) and also to /java/jre6/bin
none of the above appears to work, because when i run the following - trustStore = null.
public class ShowTrustStore {
public static void main(String[] args) {
System.setProperty("javax.net.ssl.keyStore", "keystore.jks");
System.setProperty("javax.net.ssl.trustStrore", "cacerts.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
String trustStore = System.getProperty("javax.net.ssl.trustStore");
if (trustStore == null) {
System.out.println("javax.net.ssl.trustStore is not defined");
} else {
System.out.println("javax.net.ssl.trustStore = " + trustStore);
}
}
}
how to set the path correctly?
**********UPDATE************
Using the getFile() method and some more debug data:
package ssltest;
public class Main {
public static void main(String[] args) {
// System.setProperty("javax.net.ssl.keyStore", "/keystore.jks");
// System.setProperty("javax.net.ssl.trustStrore", "/java.home/cacerts.jks");
// System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
// System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
try {
Main.class.getResource("trustStore.jks").getFile();
} catch (Exception e) {
e.printStackTrace();
}
String trustStore = System.getProperty("javax.net.ssl.trustStore");
if (trustStore == null) {
String storeLoc;
storeLoc = System.getProperty("java.class.path");
System.out.println("classpath: " + storeLoc);
}
trustStore = System.getProperty("javax.net.ssl.trustStore");
if (trustStore == null) {
System.out.println("javax.net.ssl.trustStore is not defined");
} else {
System.out.println("javax.net.ssl.trustStore = " + trustStore);
}
}
}
run:
java.lang.NullPointerException
classpath: C:\Users\Main\Documents\NetBeansProjects\sslTest\build\classes;C:\Users\Main\Documents\NetBeansProjects\sslTest\src
at ssltest.Main.main(Main.java:15)
javax.net.ssl.trustStore is not defined
BUILD SUCCESSFUL (total time: 0 seconds)
You have a typo - it is trustStore.
Apart from setting the variables with System.setProperty(..), you can also use
-Djavax.net.ssl.keyStore=path/to/keystore.jks
Looks like you have a typo -- "trustStrore" should be "trustStore", i.e.
System.setProperty("javax.net.ssl.trustStrore", "cacerts.jks");
should be:
System.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
Both
-Djavax.net.ssl.trustStore=path/to/trustStore.jks
and
System.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
do the same thing and have no difference working wise. In your case you just have a typo. You have misspelled trustStore in javax.net.ssl.trustStore.
As pointed out by others, there's a typo in the property.
Another way to check whether JVM is using the configured trustStore is to add the property: -Djavax.net.debug=all , which will turn on the debug message.
After the app starts, it will print out a message like:
javax.net.ssl|DEBUG|11|parallel-1|2021-04-17 21:25:13.827 CST|TrustStoreManager.java:112|trustStore is: C:/path/to/the/trustStore
Then we can tell whether it's using the one we want or the default one comes with the JDK.
Reference
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Alternatively, if using javax.net.ssl.trustStore for specifying the location of your truststore does not work ( as it did in my case for two way authentication ), you can also use SSLContextBuilder as shown in the example below. This example also includes how to create a httpclient as well to show how the SSL builder would work.
SSLContextBuilder sslcontextbuilder = SSLContexts.custom();
sslcontextbuilder.loadTrustMaterial(
new File("C:\\path to\\truststore.jks"), //path to jks file
"password".toCharArray(), //enters in the truststore password for use
new TrustSelfSignedStrategy() //will trust own CA and all self-signed certs
);
SSLContext sslcontext = sslcontextbuilder.build(); //load trust store
SSLConnectionSocketFactory sslsockfac = new SSLConnectionSocketFactory(sslcontext,new String[] { "TLSv1" },null,SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsockfac).build(); //sets up a httpclient for use with ssl socket factory
try {
HttpGet httpget = new HttpGet("https://localhost:8443"); //I had a tomcat server running on localhost which required the client to have their trust cert
System.out.println("Executing request " + httpget.getRequestLine());
CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}