No trusted certificate found (https)

[Alex Hunsley]

I've reworking some http resource accessing code to make it use an https
connection, rather than just http.

So, the people running the web server have generated a certificate (not
signed by verisign or anything similar), and I can access the https
resource in a browser (although obviously I get a certificate warning
first, I just hit "yes" and the page loads).

I've changed the java http connecting code to look like this:

// notice the URL is now https
URL url = new URL("https://server.name/aResource/thing.html");
String status = conn.open(url);

When I run this, the status string comes back as
"sun.security.validator.ValidatorException: No trusted certificate
found". Is this because the web server certificate is not signed by
verisign or a similar authority, or just because it is poorly formed in
some way?
I was led to believe that paying money to get a cert. signed by verisign
et al wasn't strictly necessary....

thanks!
alex

 

[Alex Hunsley]

I've reworking some http resource accessing code to make it use an https
connection, rather than just http.

So, the people running the web server have generated a certificate (not
signed by verisign or anything similar), and I can access the https
resource in a browser (although obviously I get a certificate warning
first, I just hit "yes" and the page loads).

I've changed the java http connecting code to look like this:

// notice the URL is now https
URL url = new URL("https://server.name/aResource/thing.html");
String status = conn.open(url);

When I run this, the status string comes back as
"sun.security.validator.ValidatorException: No trusted certificate
found". Is this because the web server certificate is not signed by
verisign or a similar authority, or just because it is poorly formed in
some way?
I was led to believe that paying money to get a cert. signed by verisign
et al wasn't strictly necessary....

thanks!
alex

btw, am using j2se1.4.2_03.

alex

 

[Chris Smith]

When I run this, the status string comes back as
"sun.security.validator.ValidatorException: No trusted certificate
found". Is this because the web server certificate is not signed by
verisign or a similar authority, or just because it is poorly formed in
some way?
I was led to believe that paying money to get a cert. signed by verisign
et al wasn't strictly necessary....

It isn't strictly necessary. You just need to go to a few lengths to
accept the certificate (just as you did with the web browser, except the
few lengths are less obvious here). To do this, you need to get an
SSLContext that uses a custom TrustManager object, and build an
SSLSocketFactory from there. I've included below some code from
MindIQ's Design-a-Course application that does this -- with the actual
code of the TrustManager removed so that it accepts all certificates.
Depending on your needs, you may want to have the class examine the
certificate and decide whether to accept it or not.

Once you've got the SocketFactory, you need to arrange for your HTTPS
connection to use that factory. I'm not sure off-hand how this would
work, since we use Jakarta Commons HTTPClient at this point, so we
depart from the core API. You may find that to use a custom
SocketFactory for a URLConnection, you would need to reimplement the
URLStreamHandler, which would be a bit of a pain. At that point, I'd
end up recommending that you switch to the Jakarta Commons HttpClient
library yourself, before going on.

So here's that code:

try
{
X509TrustManager trustMgr = new X509TrustManager() {
public void checkClientTrusted(
X509Certificate[] arg0, String arg1)
throws CertificateException
{
}

public void checkServerTrusted(
X509Certificate[] arg0,String arg1)
throws CertificateException
{
}

public X509Certificate[] getAcceptedIssuers()
{
return new X509Certificate[0];
}
};

SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new TrustManager[] { trustMgr }, null);

sockFactory = context.getSocketFactory();
}
catch (NoSuchAlgorithmException e)
{
...
}
catch (KeyManagementException e)
{
...
}


--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

 

[Thomas Schodt]

"sun.security.validator.ValidatorException: No trusted certificate
found". Is this because the web server certificate is not signed by
verisign or a similar authority, or just because it is poorly formed in
some way?

Not really my area but have a look at policytool.

 

[Alex Hunsley]

It isn't strictly necessary. You just need to go to a few lengths to
accept the certificate (just as you did with the web browser, except the
few lengths are less obvious here).

[sniperoon]

Thanks Chris, you life saver!
I'm looking at this right now....

alex

 

[Alex Hunsley]

Not really my area but have a look at policytool.

Ok, am duly hunting it down... thanks for that.
alex

 

[Alex Hunsley]

[snip]

Ok, got it to work (sort of).
I also had to provide a HostnameVerifier, in addition to what you
suggested, so FYI the code was

// this calls Chris' code (posted to newsgroup)
// to make the SocketFactory
SocketFactory sf = SecureSocketFactoryProducer
.getSecureSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sf);
HttpsURLConnection httpsURLConn
= (HttpsURLConnection) url.openConnection();

// my own HostnameVerifier object which verifies
// everything, for the moment
HostVerifier hv = new HostVerifier();
httpsURLConn.setHostnameVerifier(hv);


When I programatically then get data over this connection, it works on
average about 70 times, and then I get 500 internal server error.
Our server is quite busy, and the plain http code has a mechanism to
retry the http get if the get failed. So my theory is that the SSL
bridging in apache just gives up after failing to get a URL and throws a
500 internal error. Have no idea how to solve this atm but am looking!

thanks for your help
alex

 

[xulrmb]

Chris thank you very much~~~~ ^_^

dear Chris, you code solve my problem!

thank you very much!

8)