go to  ForumEasy.com   
JavaPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Secure Socket Connectivity (SSL/TLS) » SSL/TLS Error Database -- To Trust/Validate An Incoming Connection
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: SSL/TLS Error Database -- To Trust/Validate An Incoming Connection
authen
member
offline   
 
posts: 56
joined: 06/05/2006
from: San Diego, CA
  posted on: 02/28/2008 06:32:10 PM    Edit  |   Quote  |   Report 
SSL/TLS Error Database -- To Trust/Validate An Incoming Connection
What's truststore?
A truststore is a keystore which is used when making decisions about what to trust. If you receive some data from an entity that you already trust, and if you can verify that the entity is the one it claims to be, then you can assume that the data really came from that entity.

An entry should only be added to a truststore if the user makes a decision to trust that entity. By either generating a keypair or by importing a certificate, the user has given trust to that entry, and thus any entry in the keystore is considered a trusted entry.

The default truststore is "$JAVA_HOME/lib/security/java.security/cacerts" with keystore password of "changeit". You can change the default settings by:

  System.setProperty("javax.net.ssl.trustStore", "path_to_your_truststore");


What's CRL?
CRL stands for certificate revocation list where revoked certificates are itemized. CRL can be a static local file which can be pre-downloaded from CA or a dynamic repository pointed by the CA's certificate's CRLDP (CRL Distribution Point)


Steps to trust/Validate an incoming connection?
Whenever there is an incoming connection requesting SSL/TLS communication with its certificate, your application has to make decision to trust it or not before building a secure channel for SSL/TLS encrypt communication. The process to make decision is commonly referred as "handshaking". In order to validate a certificate, the following steps are usually involved:
  • Step 1) Certificate cipher Checking

  • Step 2) Certificate constraints (e.g. maxPathLength, naming) checking

  • Step 3) Certificate policies checking

  • Step 4) Certificate basic (e.g. before/after, subject/issure name chaining, signature) checking

  • Step 5) [Optional] Certificate revocation (e.g. static CRL files and dynamic CRLDPs) checking


    •  Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 02/28/2008 06:35:04 PM    Edit  |   Quote  |   Report 
    Error #1 The incoming connection (client) failed to provide certificate
    If your application requires mutual authentication and the client failed to provide any certificate, you would most likely see something like this:
    
javax.net.ssl.SSLHandshakeException: null cert chain
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
	at java.io.BufferedInputStream.fill(Unknown Source)
	at java.io.BufferedInputStream.read(Unknown Source)

     Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 02/28/2008 06:37:36 PM    Edit  |   Quote  |   Report 
    Error #2: No trusted CA certs found for the incoming connection

    If incoming connection provides an certificate but there is no certificate in your truststore to directly or indirectly identify the issuer, you would most likely see something like this:
    
javax.net.ssl.SSLHandshakeException: null cert chain
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
	at java.io.BufferedInputStream.fill(Unknown Source)
	at java.io.BufferedInputStream.read(Unknown Source)


     Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 03/20/2009 02:15:01 PM    Edit  |   Quote  |   Report 
    Error #3 CertificateExpiredException -- Client provides a certificate which is EXPIRED
    
javax.net.ssl.SSLHandshakeException:  General SSLEngine problem 
	at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
	at javax.net.ssl.SSLEngine.wrap(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
	... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: timestamp check failed
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
	... 14 more
Caused by: java.security.cert.CertPathValidatorException:  timestamp check failed
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	... 21 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Mar 20 09:32:16 PST 2009 
	at sun.security.x509.CertificateValidity.valid(Unknown Source)
	at sun.security.x509.X509CertImpl.checkValidity(Unknown Source)
	at sun.security.provider.certpath.BasicChecker.verifyTimestamp(Unknown Source)
	at sun.security.provider.certpath.BasicChecker.check(Unknown Source)
	... 25 more


     Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 12/02/2009 05:50:41 PM    Edit  |   Quote  |   Report 
    Error #4 SignatureException: Signature does not match
    On the client side, the JNDI application requests SSL connection by ClientHello and then get the connected server's certificate within ServerHello. If the client's trust store is obselete (not expired but just old version for example), the signature checking may prevent client connecting the newly updated server. The errors (on client side) may look like this:

    :
    java.security.SignatureException: Signature does not match.
    at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)
    at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
    at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:158)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:199)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:239)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:626)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:393)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)


    The PKIX validation process is:


    certpath: PKIXCertPathValidator.engineValidate()...
    certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
    certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
    certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
    certpath: NO - don't try this trustedCert
    certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
    certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
    certpath: YES - try this trustedCert
    certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=myAD,DC=myCompany, DC=com
    certpath: --------------------------------------------------------------
    certpath: Executing PKIX certification path validation algorithm.
    certpath: Checking cert1 ...
    certpath: -Using checker1 ... [sun.security.provider.certpath.KeyChecker]
    certpath: -checker1 validation succeeded
    certpath: -Using checker2 ... [sun.security.provider.certpath.ConstraintsChecker]
    certpath: ---checking basic constraints...
    certpath: i = 1
    certpath: maxPathLength = 1
    certpath: after processing, maxPathLength = 1
    certpath: basic constraints verified.
    certpath: ---checking name constraints...
    certpath: prevNC = null
    certpath: newNC = null
    certpath: mergedNC = null
    certpath: name constraints verified.
    certpath: -checker2 validation succeeded
    certpath: -Using checker3 ... [sun.security.provider.certpath.PolicyChecker]
    certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
    certpath: PolicyChecker.checkPolicy() certIndex = 1
    certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
    certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
    certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
    certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT

    certpath: PolicyChecker.processPolicies() no policies present in cert
    certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
    certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
    certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
    certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
    certpath: PolicyChecker.checkPolicy() certificate policies verified
    certpath: -checker3 validation succeeded
    certpath: -Using checker4 ... [sun.security.provider.certpath.BasicChecker]
    certpath: ---checking timestamp:Wed Dec 25 12:39:16 PST 2008...
    certpath: timestamp verified.
    certpath: ---checking subject/issuer name chaining...
    certpath: subject/issuer name chaining verified.
    certpath: ---checking signature...
    certpath: Signature does not match.


     Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 01/29/2010 02:55:43 PM    Edit  |   Quote  |   Report 
    Error #5 SSLServerSocket.setWantClientAuth(boolean want) may drop connection
    void javax.net.ssl.SSLServerSocket.setWantClientAuth(boolean want)

public abstract void setWantClientAuth(boolean want)

Controls whether accepted server-mode SSLSockets will be initially configured 
to request client authentication. 

A socket's client authentication setting is one of the following: 

  • client authentication required 

  • client authentication requested 

  • no client authentication desired 

Unlike setNeedClientAuth(boolean),  if the accepted socket's option is set and 
the client chooses not to provide authentication information about itself, 
the negotiations will continue. 

Calling this method overrides any previous setting made by this method or
 setNeedClientAuth(boolean). 

The initial inherited setting may be overridden by calling SSLSocket.setNeedClientAuth(boolean) 
or SSLSocket.setWantClientAuth(boolean). 


Parameters:
   want - set to true if client authentication is requested, 
             or false if no client authentication is desired.
   See Also:
getWantClientAuth(), setNeedClientAuth(boolean), getNeedClientAuth(), setUseClientMode(boolean)



    • But if the accepted socket's option is set,some clients like Microsoft's LDP.exe DID choose to provide authentication information about itself, even the client certificate was expired, if the certificate is good the negotiations will continue; but if the certificate is not good the negotiations will drop.



    Here is the error message got on the client (LDP.exe) side:
    
ld = ldap_sslinit("myLDAPServer", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to myLDAPServer.





    Here is the error message got on the server side:
    
javax.net.ssl.SSLHandshakeException:  General SSLEngine problem 
	at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
	at javax.net.ssl.SSLEngine.wrap(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
	... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: timestamp check failed
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
	... 14 more
Caused by: java.security.cert.CertPathValidatorException:  timestamp check failed
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	... 21 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Mar 20 09:32:16 PST 2009 
	at sun.security.x509.CertificateValidity.valid(Unknown Source)
	at sun.security.x509.X509CertImpl.checkValidity(Unknown Source)
	at sun.security.provider.certpath.BasicChecker.verifyTimestamp(Unknown Source)
	at sun.security.provider.certpath.BasicChecker.check(Unknown Source)
	... 25 more




     Profile | Reply Points Earned: 0
    X509
    member
    offline   
     
    posts: 28
    joined: 05/01/2007
    from: MS
      posted on: 02/09/2010 07:59:12 PM    Edit  |   Quote  |   Report 
    Error #6 The server failed to provide its certificate to client
    If the server failed to its certificate in the first place, the SSL negociation is doomed to fail.

    On the server side, you would most likely see something like this:
      
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
	at javax.net.ssl.SSLEngine.unwrap(Unknown Source)


    On the client side, you would most likely see something like this:
      
javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: 
  unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
	at sun.security.validator.Validator.validate(Validator.java:218)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:199)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:239)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
	... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
	unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
	... 17 more


     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.