javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate
843811Jun 10 2002 — edited Feb 24 2009Hi
I am trying to connect to a secure site using the javax.net.ssl packages that are bundled with jdk 1.4. The server certificate that is installed on the remote server is signed by our own CA (we have implemented our own CA using the iPlanet CMS).
I have written code that implements the HostNameVerifier and X509TrustManager interfaces.
But when i connect to the remote server i get the following exception
main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.0 Alert, length = 2
javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA62
75)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:58)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(DashoA6275)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLCo
nnection.java:510)
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl
.getOutputStream(DashoA6275)
at TestCommercialApps.main(TestCommercialApps.java:49)
On going through the various java resources on the internet, I came to know that this exception occurs because the server cert's CA cert is not present in the jssecacerts/cacerts file present in in the jre/lib/security folder.
However i did not have any problem implementing this in jdk 1.2 and 1.3 using the standard extension JSSE (com.sun.net.ssl package) where i had the same code implementing the X509TrustManager and HostNameVerifier interfaces (the methods that i used were isServerTrusted and isClientTrusted, whereas i now have checkServerTrusted and checkClientTrusted).
I cannot add the CA cert to the jssecacerts/cacerts file and all authentication has to be at runtime.
Can somebody help me in getting around this problem and enable my code to trust any server cert that is thrown at it by the remote server.
Thanks in advance
Karthik