Certificate contains unsupported critical extensions
843811Sep 26 2006 — edited Oct 10 2006Hi,
I have a Java client talking to the Active Directory and SunOne directory servers.
During SSL Handshake with a directory server, when there is no trusted cert for a domain, Java client reads the cert using the code below and stores in locally for the next SSL handshake. It worked fine so far except in one use case: Local truststore has cert for the sunone domain and while trying to download the cert for active directory (2003), it throws java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17].
Any one has any idea? SSL log is attached hoping that it helps you in understanding the problem I am facing.
*******start of code************
// Create the client socket
SSLSocketFactory factory = sc.getSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket(hostname, port);
// Connect to the server
socket.startHandshake();
// Retrieve the server's certificate chain
serverCerts = socket.getSession().getPeerCertificates();
// Close the socket
socket.close();
**********end of code*****************
*******start of ssl log*************
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1159239929 bytes = { 122, 126, 26, 117, 92, 175, 14, 179, 16, 90, 157, 205, 247, 203, 21, 150, 73, 209, 254, 162, 253, 9, 46, 106, 50, 27, 243, 157 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
http8080-Processor23, WRITE: TLSv1 Handshake, length = 73
http8080-Processor23, WRITE: SSLv2 client hello message, length = 98
http8080-Processor23, READ: TLSv1 Handshake, length = 4683
*** ServerHello, TLSv1
RandomCookie: GMT: 1159240018 bytes = { 91, 122, 42, 201, 86, 128, 38, 183, 178, 9, 246, 8, 226, 181, 143, 154, 240, 240, 107, 190, 128, 152, 197, 36, 192, 252, 19, 66 }
Session ID: {122, 31, 0, 0, 219, 171, 252, 70, 129, 81, 97, 77, 51, 238, 3, 134, 211, 198, 14, 195, 67, 129, 197, 28, 132, 178, 169, 67, 197, 78, 160, 35}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V3
Subject:
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
c84bb78e 9b42d168 c9e889bc 1301d3db 36db1590 37078b37 1c8519dc 32ea4226
a77a6611 2734c101 14f2ced8 a2cc615a 0056905c e0c91c4f c0dcb1de 81863389
da393198 f49957f7 2d4bc5d4 7a8daca8 ffaafe38 88669c82 a07cd9d8 398e9865
7b5eed6f 0ef8a3b2 c64e79db 2282cb95 6f779ced 81b0a960 2ff96c84 c0150b83
Validity: [From: Tue Jul 05 14:00:14 EDT 2005,
To: Thu Jul 05 14:10:14 EDT 2007]
Issuer: CN=TeakRootCA, DC=teak, DC=eng
SerialNumber: [ 115061b5 00000000 000b]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 28 30 26 30 0A 06 08 2B 06 01 05 05 07 03 02 .(0&0...+.......
0010: 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0C 06 0A 0...+.......0...
0020: 2B 06 01 04 01 82 37 14 02 02 +.....7...
[2]: ObjectId: 2.5.29.17 Criticality=true
SubjectAlternativeName [
[DNSName: mountain.teak.eng]]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A2 31 E9 24 21 A8 BC 4C 7E DE 42 17 0A A6 F8 50 .1.$!..L..B....P
0010: 3E 0F B1 76 >..v
]
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DE 46 72 03 14 59 88 6B 6A 50 AF 8D 36 DF 7E 8F .Fr..Y.kjP..6...
0010: BE EC B2 B0 ....
]
]
[5]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 FE 30 81 FB 30 81 A6 06 08 2B 06 01 05 05 ...0..0....+....
0010: 07 30 02 86 81 99 6C 64 61 70 3A 2F 2F 2F 43 4E .0....ldap:///CN
0020: 3D 54 65 61 6B 52 6F 6F 74 43 41 2C 43 4E 3D 41 =TeakRootCA,CN=A
0030: 49 41 2C 43 4E 3D 50 75 62 6C 69 63 25 32 30 4B IA,CN=Public%20K
0040: 65 79 25 32 30 53 65 72 76 69 63 65 73 2C 43 4E ey%20Services,CN
0050: 3D 53 65 72 76 69 63 65 73 2C 43 4E 3D 43 6F 6E =Services,CN=Con
0060: 66 69 67 75 72 61 74 69 6F 6E 2C 44 43 3D 74 65 figuration,DC=te
0070: 61 6B 2C 44 43 3D 65 6E 67 3F 63 41 43 65 72 74 ak,DC=eng?cACert
0080: 69 66 69 63 61 74 65 3F 62 61 73 65 3F 6F 62 6A ificate?base?obj
0090: 65 63 74 43 6C 61 73 73 3D 63 65 72 74 69 66 69 ectClass=certifi
00A0: 63 61 74 69 6F 6E 41 75 74 68 6F 72 69 74 79 30 cationAuthority0
00B0: 50 06 08 2B 06 01 05 05 07 30 02 86 44 68 74 74 P..+.....0..Dhtt
00C0: 70 3A 2F 2F 6D 6F 75 6E 74 61 69 6E 2E 74 65 61 p://mountain.tea
00D0: 6B 2E 65 6E 67 2F 43 65 72 74 45 6E 72 6F 6C 6C k.eng/CertEnroll
00E0: 2F 6D 6F 75 6E 74 61 69 6E 2E 74 65 61 6B 2E 65 /mountain.teak.e
00F0: 6E 67 5F 54 65 61 6B 52 6F 6F 74 43 41 2E 63 72 ng_TeakRootCA.cr
0100: 74 t
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.4.1.311.20.2.2]]
[7]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=TeakRootCA,CN=mountain,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=teak,DC=eng?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://mountain.teak.eng/CertEnroll/TeakRootCA.crl]
]]
[8]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 2B 30 29 06 21 2B 06 01 04 01 82 37 15 08 84 .+0).!+.....7...
0010: 9B D5 29 87 9F A9 39 83 D5 8B 04 85 98 9D 3E 83 ..)...9.......>.
0020: CC DD 12 81 3E 01 1C 02 01 6E 02 01 01 ....>....n...
]
Algorithm: [SHA1withRSA]
Signature:
0000: 56 0A 7A E6 CF B2 E1 26 19 56 97 D8 9A CE DF 91 V.z....&.V......
0010: A2 8C 9B 1F 5F DB DB 8C 2B 53 AF 30 B3 E3 67 58 ...._...+S.0..gX
0020: 28 3F 79 D4 E9 CD F8 36 94 D2 72 1A 4F FE 29 E1 (?y....6..r.O.).
0030: 65 B8 97 F6 50 22 1D DD D9 36 C3 07 EB 38 FC 7F e...P"...6...8..
0040: 25 D6 64 F1 A9 9A F9 7D 2C 6A 55 A4 11 52 2B 1A %.d.....,jU..R+.
0050: BC 42 04 77 34 52 BD 12 EC 26 F2 7F AA 25 E6 18 .B.w4R...&...%..
0060: 36 13 31 E4 F1 F3 48 88 98 E8 AE 34 AB D2 27 CF 6.1...H....4..'.
0070: 00 FD FA 39 D6 85 AE 85 26 F9 11 8A AB A2 16 BB ...9....&.......
0080: 7A F9 E3 83 35 E8 7E D7 27 8D 77 20 EC C7 57 51 z...5...'.w ..WQ
0090: F1 4B AA 66 4B 8D 4D 5F 37 EE F2 ED 52 71 5E 29 .K.fK.M_7...Rq^)
00A0: EF 9D E2 1F 7E 67 2F 05 0F FE EE 23 AC 5A 5C 49 .....g/....#.Z\I
00B0: 3B DE B3 ED 58 6E 29 D2 C1 F0 43 35 10 04 86 3A ;...Xn)...C5...:
00C0: 72 05 AA 60 D1 72 33 9E 60 17 72 0E BF 56 F4 80 r..`.r3.`.r..V..
00D0: 4D 4B 1A 72 A1 C2 EF 0F 22 9E 0B 54 94 E2 B4 14 MK.r...."..T....
00E0: 6A C7 FC 78 C6 34 DC 5D 87 B6 5D 6E 65 C0 AF 88 j..x.4.]..]ne...
00F0: AD 4E FF 87 A0 58 E5 CF EB 95 63 8C E3 31 AC 31 .N...X....c..1.1
]
***
http8080-Processor23, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http8080-Processor23, WRITE: TLSv1 Alert, length = 2
http8080-Processor23, called closeSocket()
http8080-Processor23, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1159239929 bytes = { 67, 120, 60, 26, 138, 189, 179, 207, 211, 140, 175, 81, 93, 103, 239, 224, 27, 242, 230, 30, 153, 169, 223, 186, 180, 132, 121, 153 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
http8080-Processor23, WRITE: TLSv1 Handshake, length = 73
http8080-Processor23, WRITE: SSLv2 client hello message, length = 98
http8080-Processor23, READ: TLSv1 Handshake, length = 4683
*** ServerHello, TLSv1
RandomCookie: GMT: 1159240018 bytes = { 174, 227, 68, 111, 147, 74, 23, 145, 16, 135, 129, 19, 196, 50, 38, 91, 30, 196, 73, 6, 223, 41, 254, 91, 147, 164, 245, 224 }
Session ID: {143, 5, 0, 0, 136, 218, 100, 129, 162, 241, 9, 237, 84, 103, 211, 163, 64, 248, 235, 253, 222, 214, 65, 49, 20, 1, 1, 138, 30, 86, 30, 116}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V3
Subject:
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
c84bb78e 9b42d168 c9e889bc 1301d3db 36db1590 37078b37 1c8519dc 32ea4226
a77a6611 2734c101 14f2ced8 a2cc615a 0056905c e0c91c4f c0dcb1de 81863389
da393198 f49957f7 2d4bc5d4 7a8daca8 ffaafe38 88669c82 a07cd9d8 398e9865
7b5eed6f 0ef8a3b2 c64e79db 2282cb95 6f779ced 81b0a960 2ff96c84 c0150b83
Validity: [From: Tue Jul 05 14:00:14 EDT 2005,
To: Thu Jul 05 14:10:14 EDT 2007]
Issuer: CN=TeakRootCA, DC=teak, DC=eng
SerialNumber: [ 115061b5 00000000 000b]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 28 30 26 30 0A 06 08 2B 06 01 05 05 07 03 02 .(0&0...+.......
0010: 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0C 06 0A 0...+.......0...
0020: 2B 06 01 04 01 82 37 14 02 02 +.....7...
[2]: ObjectId: 2.5.29.17 Criticality=true
SubjectAlternativeName [
[DNSName: mountain.teak.eng]]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A2 31 E9 24 21 A8 BC 4C 7E DE 42 17 0A A6 F8 50 .1.$!..L..B....P
0010: 3E 0F B1 76 >..v
]
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DE 46 72 03 14 59 88 6B 6A 50 AF 8D 36 DF 7E 8F .Fr..Y.kjP..6...
0010: BE EC B2 B0 ....
]
]
[5]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 FE 30 81 FB 30 81 A6 06 08 2B 06 01 05 05 ...0..0....+....
0010: 07 30 02 86 81 99 6C 64 61 70 3A 2F 2F 2F 43 4E .0....ldap:///CN
0020: 3D 54 65 61 6B 52 6F 6F 74 43 41 2C 43 4E 3D 41 =TeakRootCA,CN=A
0030: 49 41 2C 43 4E 3D 50 75 62 6C 69 63 25 32 30 4B IA,CN=Public%20K
0040: 65 79 25 32 30 53 65 72 76 69 63 65 73 2C 43 4E ey%20Services,CN
0050: 3D 53 65 72 76 69 63 65 73 2C 43 4E 3D 43 6F 6E =Services,CN=Con
0060: 66 69 67 75 72 61 74 69 6F 6E 2C 44 43 3D 74 65 figuration,DC=te
0070: 61 6B 2C 44 43 3D 65 6E 67 3F 63 41 43 65 72 74 ak,DC=eng?cACert
0080: 69 66 69 63 61 74 65 3F 62 61 73 65 3F 6F 62 6A ificate?base?obj
0090: 65 63 74 43 6C 61 73 73 3D 63 65 72 74 69 66 69 ectClass=certifi
00A0: 63 61 74 69 6F 6E 41 75 74 68 6F 72 69 74 79 30 cationAuthority0
00B0: 50 06 08 2B 06 01 05 05 07 30 02 86 44 68 74 74 P..+.....0..Dhtt
00C0: 70 3A 2F 2F 6D 6F 75 6E 74 61 69 6E 2E 74 65 61 p://mountain.tea
00D0: 6B 2E 65 6E 67 2F 43 65 72 74 45 6E 72 6F 6C 6C k.eng/CertEnroll
00E0: 2F 6D 6F 75 6E 74 61 69 6E 2E 74 65 61 6B 2E 65 /mountain.teak.e
00F0: 6E 67 5F 54 65 61 6B 52 6F 6F 74 43 41 2E 63 72 ng_TeakRootCA.cr
0100: 74 t
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.4.1.311.20.2.2]]
[7]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=TeakRootCA,CN=mountain,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=teak,DC=eng?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://mountain.teak.eng/CertEnroll/TeakRootCA.crl]
]]
[8]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 2B 30 29 06 21 2B 06 01 04 01 82 37 15 08 84 .+0).!+.....7...
0010: 9B D5 29 87 9F A9 39 83 D5 8B 04 85 98 9D 3E 83 ..)...9.......>.
0020: CC DD 12 81 3E 01 1C 02 01 6E 02 01 01 ....>....n...
]
Algorithm: [SHA1withRSA]
Signature:
0000: 56 0A 7A E6 CF B2 E1 26 19 56 97 D8 9A CE DF 91 V.z....&.V......
0010: A2 8C 9B 1F 5F DB DB 8C 2B 53 AF 30 B3 E3 67 58 ...._...+S.0..gX
0020: 28 3F 79 D4 E9 CD F8 36 94 D2 72 1A 4F FE 29 E1 (?y....6..r.O.).
0030: 65 B8 97 F6 50 22 1D DD D9 36 C3 07 EB 38 FC 7F e...P"...6...8..
0040: 25 D6 64 F1 A9 9A F9 7D 2C 6A 55 A4 11 52 2B 1A %.d.....,jU..R+.
0050: BC 42 04 77 34 52 BD 12 EC 26 F2 7F AA 25 E6 18 .B.w4R...&...%..
0060: 36 13 31 E4 F1 F3 48 88 98 E8 AE 34 AB D2 27 CF 6.1...H....4..'.
0070: 00 FD FA 39 D6 85 AE 85 26 F9 11 8A AB A2 16 BB ...9....&.......
0080: 7A F9 E3 83 35 E8 7E D7 27 8D 77 20 EC C7 57 51 z...5...'.w ..WQ
0090: F1 4B AA 66 4B 8D 4D 5F 37 EE F2 ED 52 71 5E 29 .K.fK.M_7...Rq^)
00A0: EF 9D E2 1F 7E 67 2F 05 0F FE EE 23 AC 5A 5C 49 .....g/....#.Z\I
00B0: 3B DE B3 ED 58 6E 29 D2 C1 F0 43 35 10 04 86 3A ;...Xn)...C5...:
00C0: 72 05 AA 60 D1 72 33 9E 60 17 72 0E BF 56 F4 80 r..`.r3.`.r..V..
00D0: 4D 4B 1A 72 A1 C2 EF 0F 22 9E 0B 54 94 E2 B4 14 MK.r...."..T....
00E0: 6A C7 FC 78 C6 34 DC 5D 87 B6 5D 6E 65 C0 AF 88 j..x.4.]..]ne...
00F0: AD 4E FF 87 A0 58 E5 CF EB 95 63 8C E3 31 AC 31 .N...X....c..1.1
]
***
http8080-Processor23, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http8080-Processor23, WRITE: TLSv1 Alert, length = 2
http8080-Processor23, called closeSocket()
http8080-Processor23, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]
Finalizer, called close()
Finalizer, called closeInternal(true)
*************end of ssl log**********