Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Getting a "peer not authenticated" Exception using Openssl

843811Sep 16 2002 — edited Feb 5 2008
Hi all

I'm pretty frustrated right now. I'm trying to get a Java program to do client and server certificate authentication with an Apache server.

Let me say beforehand I got the server side authentication part going. Its only the client authentication I'm having trouble with.

I have an Apache server vs 1.3.20 (running on a RH Linux 6.2) which talks to a Tomcat server (3.2.1) hosting some servlet. I also have Apache SSL enabled (via mod_ssl 2.8.4 and openssl_0.9.6a) and talking to an openldap server (vs 2.1.3) via a module called mod_authz_ldap. This module allows for both certificate and basic authentication.

I then my b2b Java program (running from Win2000), which uses the Sun's JSSE 1.0.3 plus the HTTPClient program from Innovation: http://www.innovation.ch/java/HTTPClient/https.html.

To start with, the exception I'm getting on the client side is:

"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275) at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:2950)"

And on the Apache server ssl_engine.log I'm getting:

"[16/Sep/2002 15:21:33 17063] [info] Connection to child 2 established (server 165.148.58.144:443, client 165.148.59.202)
[16/Sep/2002 15:21:33 17063] [info] Seeding PRNG with 1160 bytes of entropy
[16/Sep/2002 15:21:42 17063] [error] SSL handshake failed (server 165.148.58.144:443, client 165.148.59.202) (OpenSSL library error follows)
[16/Sep/2002 15:21:42 17063] [error] OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"

Now what I did to setup my certificates was:

1. Created my own CA using openssl (from the Linux box)
2. Created the server certificate and extracted the key
3. Created the client certificate.

I then bundled all of these by concantanating them into a single file called ca-bundle.crt (I used a simple cat command)

In Apache httpd.conf I added:

"SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /jose/CA2/server.crt
SSLCertificateKeyFile /jose/CA2/server.key

SSLCACertificateFile /jose/CA2/demoCA/newcerts/ca2-bundle.crt

SSLVerifyClient require
SSLVerifyDepth 10"

I then copied the ca cert, the server cert and client cert into my client win2000 machine.

I then imported these into a single .keystore file using keytool, which I then use on my program like:

--------------------------------------------------
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and Settings\\correij\\.keystore");

SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
//no need to call the init(KeyStore) method as by the default it accesses
//the above set property "javax.net.ssl.trustStore"
sc.init(null, tmf.getTrustManagers(), null);

//URL url = new URL (urlString);
HTTPConnection con = new HTTPConnection("https", urlString, -1);
//sc.getSocketFactory().setNeedClientAuth(true);
con.setSSLSocketFactory(sc.getSocketFactory());
con.addBasicAuthorization("AuthzLDAP","Jaco", "water");
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();

-----------------------------------------

When I run this, I'm getting the above errors... I did turn the SSL debug on I'm getting a:

main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.1 Alert, length = 2
%% No cached client session


I don't know if its the client that is not recognizing any of the attached server certificates or the other way around...?

Any ideas pleaseeeeeee....!!

Thanks in advance
Jose Correia








Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 4 2008
Added on Sep 16 2002
12 comments
4,212 views