RE: [iaik-ssl]cu|| iaik.security.ssl.SSLException: server certificate rejected!

To: "'Luca Ventura'" <luca_vent@virgilio.it>, iaik-ssl <iaik-ssl@iaik.at>

Subject: RE: [iaik-ssl]cu|| iaik.security.ssl.SSLException: server certificate rejected!

From: "Hiltenkamp, Andreas" <Andreas.Hiltenkamp@healy-hudson.com>

Date: Fri, 28 Jun 2002 13:21:15 +0200

Sender: iaik-ssl-owner@iaik.at

Hi !

try the following:

HttpsURLConnection con;

...

SSLContext sslContext = con.getSSLContext();
sslContext.setDebugWriter( System.out);

// optional clear the certificate list of the cerificate verifier
// so that all valid certificates will be accepted.
// see below
sslContext.getChainVerifier().clearTrustedCertificates();
...
// do output

// get the result

// do something else

You should see what happens during the SSL Handshake

What the chain verifier does

Client Side Trust Verification

The client verifiers that the server has an acceptable certificate. The following cases arise (assuming the default ChainVerifier implementation is used):

ChainVerifier is null: If the ChainVerifier for the current SSLContext is null all certificates are accepted. Note that the ChainVerifier is only null when explicitly set to null by the application.
CipherSuite is DH_anon: If the active ciphersuite is anonymous the ChainVerifier is not called and the connection is accepted. The reasoning is that DH_anon is only used when explicitly enabled by the user making an additional check of the always server certificate redundant (for DH_anon the server certificate is of course actually null).
No trusted certificates set: If no trusted certificates have been specified all valid certificate chains are accepted. Valid in this case means that all signature verify, no certificates are expired, etc.
One or more trusted certificates set: If trusted certificate have been specified only chains that are valid and contain a trusted certificate are accepted.

For more information please the the JavaDoc for the ChainVerifier class.

yours

andi

> -----Original Message-----
> From: Luca Ventura [mailto:luca_vent@virgilio.it]
> Sent: Freitag, 28. Juni 2002 12:46
> To: iaik-ssl
> Subject: [iaik-ssl]cu|| iaik.security.ssl.SSLException: server
> certificate rejected!
>
>
> Hello!
>
> I use JDK 1.4 (on a Windows XP machine) and IAIK's iSaSiLk
> APIs to open
> https connections in my Java applications....
>
> I have wrritten the following piece of code to do it:
>
>   urlString = "https://www.verisign.com/";
>   URL url = new URL(null,urlString, new
> iaik.protocol.https.Handler());
>   HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
>
>
> At the last statement I receive the following error:
>
> iaik.security.ssl.SSLException: Server certificate rejected
> by ChainVerifier
>
> Why? This error doesn't appear if I use url: "https://jcewww.iaik.at/"
>
> how come?
>
> I hope someone can help me!
>
>      Thanks a lot!
>
>                                     Luca
>
> --
> Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl