[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] server cert problem



Hi,

I'm currently evaluating iSaSiLk and I'm trying to use it, specifically
the HttpsUrlConnection support, to connect to a server 
running Apache with mod_ssl.  The CA certificate is self-signed and the
server certificate is signed by that CA.  All certs and 
keys are DSA (512). In my client, I set up an SSLClientContext and do
the following:

 X509Certificate caCert = null;

 FileInputStream cafis = new FileInputStream("CA.crt");
 CertificateFactory cf = CertificateFactory.getInstance("X.509");
 caCert = (X509Certificate)cf.generateCertificate(cafis);

 HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
    
 SSLClientContext sslcc = new SSLClientContext();
 sslcc.setDebugStream(System.out);

 CipherSuiteList csl = new CipherSuiteList();
 csl.add(CipherSuite.SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA);

 sslcc.addTrustedCertificate(caCert);

 con.setSSLContext(sslcc);

 .
 .
 .

the output from this program is:

ssl_debug(1): Starting handshake...
ssl_debug(1): Sending v3 client_hello message, requesting version
3.1...
ssl_debug(1): Received v3 server_hello handshake message.
ssl_debug(1): Server selected SSL version 3.1.
ssl_debug(1): Server created new session F3:23:09:6E:64:20:8B:4D...
ssl_debug(1): CipherSuite selected by server:
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
ssl_debug(1): CompressionMethod selected by server: NULL
ssl_debug(1): Received certificate handshake message with server
certificate.
ssl_debug(1): Server sent a 512 bit DSA certificate, chain has 2
elements.
ssl_debug(1): ChainVerifier: Error verifying certificate chain:
java.security.SignatureException: 
Signature does not match.
ssl_debug(1): Sending alert: Alert Fatal: bad certificate
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): SSLException while handshaking: Server certificate
rejected by ChainVerifier
ssl_debug(1): Sending alert: Alert Fatal: handshake failure
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): Closing transport...
org.w3c.www.protocol.http.HttpException:
iaik.security.ssl.SSLException: Server certificate rejected 
by ChainVerifier
iaik.security.ssl.SSLException: Server certificate rejected by
ChainVerifier
 at iaik.security.ssl.x.d(Unknown Source)
 at iaik.security.ssl.x.f(Unknown Source)
 at iaik.security.ssl.r.c(Unknown Source)
 at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
 at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source)
 at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source)
 at org.w3c.www.protocol.http.HttpBasicConnection.markUsed(Unknown
Source)
 at org.w3c.www.protocol.http.HttpBasicServer.getConnection(Unknown
Source)
 at org.w3c.www.protocol.http.HttpBasicServer.runRequest(Unknown
Source)
 at org.w3c.www.protocol.http.HttpManager.runRequest(Unknown Source)
 at org.w3c.www.protocol.http.HttpURLConnection.connect(Unknown Source)
 at org.w3c.www.protocol.http.HttpURLConnection.a(Unknown Source)
 at org.w3c.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)


So, obviously the ChainVerifier doesn't like one or both of my certs...
can anyone tell me why?  If I don't specify any trusted 
certs, I get the same output which leads me to believe that I'm doing
something wrong.  

Any help on this would be greatly appreciated.

Thanks,

Jeff

P.S. Please reply directly because it seems my subscription to the
mailing list hasn't taken effect yet.

__________________________________________________
Do You Yahoo!?
Yahoo! Mail  Free email you can access from anywhere!
http://mail.yahoo.com/
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl