Solution - Verisign expired root CA and "No trusted certificate found" using JSSE

[Neill]

Not sure where to start with this one, my frustration over not being able to
find ANY documentation regarding a relatively common problem, the process I
followed to find the solution, or just post the solution. Either way, it's
aggravating to the extreme to bump up against the divide between the
programming elite, and ordinary programmers like myself, only to find the
barrier to the information to be nothing less than kindergarten antics,
corporate indifference, or just plain laziness on the part of those who have
gone before, not to blaze the trail.

Problem - when attempting to establish a client SSLSocket connection to a
server, "javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found" is
thrown.

The solution was a bit elusive. Posts to newsgroups and other forums dealt
with accepting self-signed certificates and involved using the keytool to
import the server public key, but I was only trying to establish a
connection to a server. The cacerts file existed in the /jre/lib/security
directory, and I tried setting a number of System properties with no results
until using System.setProperty ("javax.net.debug", "all"); which lead me to
believe the problem may be in the cacerts file. The keytool threw an
exception using -printcerts, so I was able to use iKeyman in the WebSphere
distribution to view the certificates in the file. I was able to determine
the Verisign root CA was expired, and stumbled on to the new root CA on the
Verisign site at https://getca.verisign.com/update.html. Click on accept,
save the .cer file, and import it into "cacerts" using keytool. I used
iKeyman and deleted the expired certificates. This solved the immediate
problem, and I am able to get back on track working on the shopping cart
application I've been working on off and on.

Of course, if you're not a masochist, you can simply d/l the latest JDK from
Sun, which addresses the issue since JDK 1.4.2_03 (I'm using 1.4.2-b28, note
to self: d/l latest version.) as described in the support document on Sun's
website at http://www.java.com/en/download/help/cacerts.xml.

It's surprising to me that the support doc isn't better catalogued so that
someone may actually find it. I suppose I could be thankful, because it
allowed me the opportunity to learn something on my own. I think that's a
red herring, however, because there are a handful of posts out there,
including mine, which went by unnoticed by the elite or lazy, too busy
chasing their own herring to respond, I suppose.

TODO: add rate this article feature to blog site

Posted online at
http://www.laneyconsulting.com/web/blog.nsf/plinks/NLAY-6ER9CF

 

[Steve Sobol]

Not sure where to start with this one, my frustration over not being able to
find ANY documentation regarding a relatively common problem, the process I
followed to find the solution, or just post the solution.

Neill,

As an alternative solution, I have a class which loads a keystore from a
URL. I used it for a program that speaks XMLRPC to an SSL website that has a
not-widely-recognized SSL certificate, which otherwise would cause JSSE to
refuse to connect to the site. If you want me to, or if anyone else is
interested, I'll post the code on my blog. It's pretty simple.

 

[Neill]

Neill,

As an alternative solution, I have a class which loads a keystore from a
URL. I used it for a program that speaks XMLRPC to an SSL website that has a
not-widely-recognized SSL certificate, which otherwise would cause JSSE to
refuse to connect to the site. If you want me to, or if anyone else is
interested, I'll post the code on my blog. It's pretty simple.

Thanks for the response. For posterity, here's my code to establish an SSL
connection. If you want to reply with your keystore class for completeness,
please do.

BTW, the following is standard stuff, and can be found in any number of
posts by others -

SSLSocket sslSocket = null;
String hostName = "www.myhost.com";
try {
/*
* Before any application data is sent or received, the
* SSL socket will do SSL handshaking first to set up
* the security attributes.
*
* SSL handshaking can be initiated by either flushing data
* down the pipe, or by starting the handshaking by hand.
*
* Handshaking is started manually in this example because
* PrintWriter catches all IOExceptions (including
* SSLExceptions), sets an internal error flag, and then
* returns without rethrowing the exception.
*
* Unfortunately, this means any error messages are lost,
* which caused lots of confusion for others using this
* code. The only way to tell there was an error is to call
* PrintWriter.checkError().
*/
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLSocketFactory sslFactory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
sslSocket = (SSLSocket) sslFactory.createSocket(hostName, 443);
System.out.print(hostName + ": starting handshake ... ");
sslSocket.startHandshake();
System.out.println("completed");
//do something here
} catch (Exception e) {
System.out.println(e.getMessage());
} finally {
if (sslSocket != null)
sslSocket.close();
}

Once the socket connection has been established, a request/response can be
posted/read, then close the socket -

PrintWriter out =
new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(sslSocket.getOutputStream())));
/*
* write to out
*/
outToStream("some string");
out.flush();
/*
* Make sure there were no surprises
*/
if (out.checkError())
System.out.println(
"SSLSocketClient: java.io.PrintWriter error");

/* read response */
BufferedReader in =
new BufferedReader(
new InputStreamReader(sslSocket.getInputStream()));

StringBuffer buffer = new StringBuffer("");
String inputLine;
while ((inputLine = in.readLine()) != null) {
buffer.append(inputLine);
}
in.close();
out.close();