Remote RPC via SSL seems like it might not be working quite right.

[GoogleCodeExporter]

I have a server on my home machine that is attempting to connect to a
publicly available machine.

js>var c = load( "https://coheremain.com/Cohere/1" )

Prior to my shifting coheremain.com behind SSL, this worked great!

Now, it's unhappy.  I figure it's because we need to construct an SSL
connection between the two servers and this might not have happened before.
 Now I think about it, there's a lot to this little request: must make sure
that the connection handshake is OK, must have a way to check the presented
certificate.  Browsers do this by checking against a big collection of
fancy Issuing Certificates.  Do we have such a list?  What would happen if
the remote cert was self-signed?  Or if the server's Cert's Issuer wasn't
in that list? 

This is a can of worms if ever I saw one, but one I'd like to get to the
bottom of, if possible!

Errors galore below: 

js>s( c )
({"id":"https://coheremain.com/Cohere/1",
"error":"org.mozilla.javascript.EcmaError: Error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target (org/persvr/server.js#135)"
})
js>david@dw-quad:~/cohere_master$ 

The Server stack trace is as follows:

2009-08-18 03:47:43.634::WARN:  EXCEPTION 
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1682)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl
.java:1112)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:113
9)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:112
3)
    at
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnect
or.java:631)
    at
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)

Original issue reported on code.google.com by davidthi...@gmail.com on 18 Aug 2009 at 3:59

[GoogleCodeExporter]

Checking (somewhat randomly)

http://www.exampledepot.com/egs/javax.net.ssl/Client.html
http://www.exampledepot.com/egs/javax.net.ssl/Server.html

Reveals that we might need to supply the issuing cert store on the client and
keystore on the server and possibly the client too.  

There's a keystore as part of the jetty config ([persevere_home]/etc) which 
would be
cool to reuse, but we might need to add the cert store from some collection 
offered
by a browser.

Original comment by davidthi...@gmail.com on 18 Aug 2009 at 4:58

[GoogleCodeExporter]

OpenSSL has a tool which can test SSL servers:

  openssl s_client -connect coheremain.com:443

Doesn't work, since it has no way to validate Coheremain's cert.

Adding a pointer to the coheremain's issuing authority (stored in ca-cert.cert),
permits the connection to be made:

  openssl s_client -connect coheremain.com:443 -CAfile ca-cert.cert

Returns:

CONNECTED(00000003)
depth=1 /CN=Cohere
(coheremain.com)/C=US/ST=California/L=Oakland/O=Cohere/emailAddress=david@davidt
hings.com
verify return:1
depth=0 /C=US/ST=California/O=Cohere/CN=coheremain.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/O=Cohere/CN=coheremain.com
   i:/CN=Cohere
(coheremain.com)/C=US/ST=California/L=Oakland/O=Cohere/emailAddress=david@davidt
hings.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjTEgMB4GA1UEAxMXQ29o
ZXJlIChjb2hlcmVtYWluLmNvbSkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMQ8wDQYDVQQKEwZDb2hlcmUxJDAiBgkq
hkiG9w0BCQEWFWRhdmlkQGRhdmlkdGhpbmdzLmNvbTAeFw0wOTA4MTgwMjIxNDZa
Fw0xMDA4MTgwMjIxNDZaMEwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMQ8wDQYDVQQKEwZDb2hlcmUxFzAVBgNVBAMTDmNvaGVyZW1haW4uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn+/rr2KxXakoMjbfUlydXyOuGmxpb
4kipy3c5hBhpTkP6drkPAlKJPU7hyBlt/gOV2ZB5yy2E+rMTFO4h1PvCvZRpNUIc
owbDuQt6JDQm8uRiYCVlMtiZC6mo1DZe3QFCU2FiDqnJowd5fFWXaNcuAED3KgIB
8OMZAJj3X4UgtQIDAQABo4IBJTCCASEwCQYDVR0TBAIwADAdBgNVHQ4EFgQU74VI
zbSn8NEUPvZt+JEkLWPfWWQwgcIGA1UdIwSBujCBt4AUuthZwgOtTxscfpMisjJO
fahsXNOhgZOkgZAwgY0xIDAeBgNVBAMTF0NvaGVyZSAoY29oZXJlbWFpbi5jb20p
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHT2Fr
bGFuZDEPMA0GA1UEChMGQ29oZXJlMSQwIgYJKoZIhvcNAQkBFhVkYXZpZEBkYXZp
ZHRoaW5ncy5jb22CCQDTNCj+zar8fDAwBglghkgBhvhCAQQEIxYhaHR0cHM6Ly9j
b2hlcmVtYWluLmNvbS9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4IBAQCUndZ6
cFfiFovmv5Fs8A3Kmgrml3kdzDLqRDEtBrnwHQQrnPJUmD3ARUH0t6s5O1g148G+
Irhi/hb5e7kwLHjMV8F4KIGIpGuoH+JZ5X9rXUIIwwDbXruRGtOo2L9D5XIQZsYy
QowjQXo1l74DPJdhOPMxd1W5UEhxfMcARbd22qqzUQjfHoWSZlBLjOIh/gHhp6hO
qXIqcGm0ROIBjU0xLNKr3hWLkt+EeqdOaywl6VnntVWFFCTB/KFvpdQc/SUZRH5t
BED6smAHjcFAdFVuaP/yAdPHiHXFNeCLuKzSd0U4E0AHQhKfC+7FDdOyBXmjxLdm
VgbmtT19+6sqNEab
-----END CERTIFICATE-----
subject=/C=US/ST=California/O=Cohere/CN=coheremain.com
issuer=/CN=Cohere
(coheremain.com)/C=US/ST=California/L=Oakland/O=Cohere/emailAddress=david@davidt
hings.com
---
No client certificate CA names sent
---
SSL handshake has read 1592 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 4A8B131C58D7809DBC166549C17AC5211BA18FE2AD4CFA0C0FA8D4952296350F
    Session-ID-ctx: 
    Master-Key:
6521D98795AC6577DE62E04E91876A23F5868D75BFCCD8F3FD3B1708C2F8FFEF77CC66F84BBF9E7B
175ED463DB66A23F
    Key-Arg   : None
    Start Time: 1250628350
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Then it sits waiting for requests.  I type:

GET /

And I get...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Cohere - Cohere Main</title>
<link rel="icon" type="image/png" href="/images/fav13.png">
</head> 

<frameset rows="55,100%,45" cols="*" border = "0px" >

  <frame src="/Class/WebHeaderController" name="header" id="header" noresize
scrolling=no>
  <frame src="/Class/HomeController" name="content" id="content" >
  <frame src="/Class/WebFooterController" name="footer" id="footer" noresize
scrolling=no>
</frameset>
<noframes></noframes>

</html>

Original comment by davidthi...@gmail.com on 18 Aug 2009 at 8:50

[GoogleCodeExporter]

All is now working.  What was needed was the issuing certificate to be placed 
in the
JRE's keystore.  Then all the lights came on.

Original comment by davidthi...@gmail.com on 18 Aug 2009 at 9:31

• Changed state: Verified