go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Error #6: Keystore is loaded but it's not bearing appropriate rights
 
Subject: Error #6: Keystore is loaded but it's not bearing appropriate rights
Author: authen
In response to: Error #5: Keystore is loaded but it's not bearing the hostname
Posted on: 02/28/2008 01:22:17 PM

If your server's certificate does not have the right to run service. It's up to your client applications to trust it or not.

For clients using Sun JDK SSL library, for example, the certificate is going to be rejected and the following exception is, on client side, expected:


javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage 
			does not permit use for TLS server authentication
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1522)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:180)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:861)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1061)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
	at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:252)
	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:117)
	at sun.security.validator.Validator.validate(Validator.java:221)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:199)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:239)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)


On server side, you will see something like this:

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
	at java.io.BufferedInputStream.fill(Unknown Source)
	at java.io.BufferedInputStream.read(Unknown Source)



 

> On 02/26/2008 06:52:23 PM authen wrote:

If your server's certificate is bearing a subject, say 'CN=ServerB,DC=myCompany,DC=com', that is different from the hostname of the machine, say 'ServerA', on which your server is running, you might have troubles in convincing your clients that the server is a genuine one. It's up to your clients to trust it or not.

For clients using Sun JDK SSL library, for example, the hostname unmatched certificate is acceptable.

For clients using JDNI StartTLS library, for example, the hostname unmatched certificate is NOT acceptable and the following exception is, on client side, thrown:


javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'ServerA'
            does not match the hostname in the server's certificate.
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416)
	... 3 more






References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.