Closed GoogleCodeExporter closed 8 years ago
Checking (somewhat randomly)
http://www.exampledepot.com/egs/javax.net.ssl/Client.html
http://www.exampledepot.com/egs/javax.net.ssl/Server.html
Reveals that we might need to supply the issuing cert store on the client and
keystore on the server and possibly the client too.
There's a keystore as part of the jetty config ([persevere_home]/etc) which
would be
cool to reuse, but we might need to add the cert store from some collection
offered
by a browser.
Original comment by davidthi...@gmail.com
on 18 Aug 2009 at 4:58
OpenSSL has a tool which can test SSL servers:
openssl s_client -connect coheremain.com:443
Doesn't work, since it has no way to validate Coheremain's cert.
Adding a pointer to the coheremain's issuing authority (stored in ca-cert.cert),
permits the connection to be made:
openssl s_client -connect coheremain.com:443 -CAfile ca-cert.cert
Returns:
CONNECTED(00000003)
depth=1 /CN=Cohere
(coheremain.com)/C=US/ST=California/L=Oakland/O=Cohere/emailAddress=david@davidt
hings.com
verify return:1
depth=0 /C=US/ST=California/O=Cohere/CN=coheremain.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/O=Cohere/CN=coheremain.com
i:/CN=Cohere
(coheremain.com)/C=US/ST=California/L=Oakland/O=Cohere/emailAddress=david@davidt
hings.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjTEgMB4GA1UEAxMXQ29o
ZXJlIChjb2hlcmVtYWluLmNvbSkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMQ8wDQYDVQQKEwZDb2hlcmUxJDAiBgkq
hkiG9w0BCQEWFWRhdmlkQGRhdmlkdGhpbmdzLmNvbTAeFw0wOTA4MTgwMjIxNDZa
Fw0xMDA4MTgwMjIxNDZaMEwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMQ8wDQYDVQQKEwZDb2hlcmUxFzAVBgNVBAMTDmNvaGVyZW1haW4uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn+/rr2KxXakoMjbfUlydXyOuGmxpb
4kipy3c5hBhpTkP6drkPAlKJPU7hyBlt/gOV2ZB5yy2E+rMTFO4h1PvCvZRpNUIc
owbDuQt6JDQm8uRiYCVlMtiZC6mo1DZe3QFCU2FiDqnJowd5fFWXaNcuAED3KgIB
8OMZAJj3X4UgtQIDAQABo4IBJTCCASEwCQYDVR0TBAIwADAdBgNVHQ4EFgQU74VI
zbSn8NEUPvZt+JEkLWPfWWQwgcIGA1UdIwSBujCBt4AUuthZwgOtTxscfpMisjJO
fahsXNOhgZOkgZAwgY0xIDAeBgNVBAMTF0NvaGVyZSAoY29oZXJlbWFpbi5jb20p
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHT2Fr
bGFuZDEPMA0GA1UEChMGQ29oZXJlMSQwIgYJKoZIhvcNAQkBFhVkYXZpZEBkYXZp
ZHRoaW5ncy5jb22CCQDTNCj+zar8fDAwBglghkgBhvhCAQQEIxYhaHR0cHM6Ly9j
b2hlcmVtYWluLmNvbS9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4IBAQCUndZ6
cFfiFovmv5Fs8A3Kmgrml3kdzDLqRDEtBrnwHQQrnPJUmD3ARUH0t6s5O1g148G+
Irhi/hb5e7kwLHjMV8F4KIGIpGuoH+JZ5X9rXUIIwwDbXruRGtOo2L9D5XIQZsYy
QowjQXo1l74DPJdhOPMxd1W5UEhxfMcARbd22qqzUQjfHoWSZlBLjOIh/gHhp6hO
qXIqcGm0ROIBjU0xLNKr3hWLkt+EeqdOaywl6VnntVWFFCTB/KFvpdQc/SUZRH5t
BED6smAHjcFAdFVuaP/yAdPHiHXFNeCLuKzSd0U4E0AHQhKfC+7FDdOyBXmjxLdm
VgbmtT19+6sqNEab
-----END CERTIFICATE-----
subject=/C=US/ST=California/O=Cohere/CN=coheremain.com
issuer=/CN=Cohere
(coheremain.com)/C=US/ST=California/L=Oakland/O=Cohere/emailAddress=david@davidt
hings.com
---
No client certificate CA names sent
---
SSL handshake has read 1592 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4A8B131C58D7809DBC166549C17AC5211BA18FE2AD4CFA0C0FA8D4952296350F
Session-ID-ctx:
Master-Key:
6521D98795AC6577DE62E04E91876A23F5868D75BFCCD8F3FD3B1708C2F8FFEF77CC66F84BBF9E7B
175ED463DB66A23F
Key-Arg : None
Start Time: 1250628350
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Then it sits waiting for requests. I type:
GET /
And I get...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Cohere - Cohere Main</title>
<link rel="icon" type="image/png" href="/images/fav13.png">
</head>
<frameset rows="55,100%,45" cols="*" border = "0px" >
<frame src="/Class/WebHeaderController" name="header" id="header" noresize
scrolling=no>
<frame src="/Class/HomeController" name="content" id="content" >
<frame src="/Class/WebFooterController" name="footer" id="footer" noresize
scrolling=no>
</frameset>
<noframes></noframes>
</html>
Original comment by davidthi...@gmail.com
on 18 Aug 2009 at 8:50
All is now working. What was needed was the issuing certificate to be placed
in the
JRE's keystore. Then all the lights came on.
Original comment by davidthi...@gmail.com
on 18 Aug 2009 at 9:31
Original issue reported on code.google.com by
davidthi...@gmail.com
on 18 Aug 2009 at 3:59