[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] server cert problem... again



Hello,

I'm resending my question because I didn't get any response the last
time I sent it.  I'm evaluating iSaSiLk for possible purchase and I
need to know if it will do what I need it to.  My tests so far have
shown that it doesn't.  I need someone to prove that it will.  The
original question is below.  Again, any help would be greatly
appreciated.

-Jeff


--- Jeffrey Ricks <jricks18@yahoo.com> wrote:
> Hi,
> 
> I'm currently evaluating iSaSiLk and I'm trying to use it,
> specifically
> the HttpsUrlConnection support, to connect to a server 
> running Apache with mod_ssl.  The CA certificate is self-signed and
> the
> server certificate is signed by that CA.  All certs and 
> keys are DSA (512). In my client, I set up an SSLClientContext and do
> the following:
> 
>  X509Certificate caCert = null;
> 
>  FileInputStream cafis = new FileInputStream("CA.crt");
>  CertificateFactory cf = CertificateFactory.getInstance("X.509");
>  caCert = (X509Certificate)cf.generateCertificate(cafis);
> 
>  HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
>     
>  SSLClientContext sslcc = new SSLClientContext();
>  sslcc.setDebugStream(System.out);
> 
>  CipherSuiteList csl = new CipherSuiteList();
>  csl.add(CipherSuite.SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
> 
>  sslcc.addTrustedCertificate(caCert);
> 
>  con.setSSLContext(sslcc);
> 
>  .
>  .
>  .
> 
> the output from this program is:
> 
> ssl_debug(1): Starting handshake...
> ssl_debug(1): Sending v3 client_hello message, requesting version
> 3.1...
> ssl_debug(1): Received v3 server_hello handshake message.
> ssl_debug(1): Server selected SSL version 3.1.
> ssl_debug(1): Server created new session F3:23:09:6E:64:20:8B:4D...
> ssl_debug(1): CipherSuite selected by server:
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> ssl_debug(1): CompressionMethod selected by server: NULL
> ssl_debug(1): Received certificate handshake message with server
> certificate.
> ssl_debug(1): Server sent a 512 bit DSA certificate, chain has 2
> elements.
> ssl_debug(1): ChainVerifier: Error verifying certificate chain:
> java.security.SignatureException: 
> Signature does not match.
> ssl_debug(1): Sending alert: Alert Fatal: bad certificate
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): SSLException while handshaking: Server certificate
> rejected by ChainVerifier
> ssl_debug(1): Sending alert: Alert Fatal: handshake failure
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): Shutting down SSL layer...
> ssl_debug(1): Closing transport...
> org.w3c.www.protocol.http.HttpException:
> iaik.security.ssl.SSLException: Server certificate rejected 
> by ChainVerifier
> iaik.security.ssl.SSLException: Server certificate rejected by
> ChainVerifier
>  at iaik.security.ssl.x.d(Unknown Source)
>  at iaik.security.ssl.x.f(Unknown Source)
>  at iaik.security.ssl.r.c(Unknown Source)
>  at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
>  at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source)
>  at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source)
>  at org.w3c.www.protocol.http.HttpBasicConnection.markUsed(Unknown
> Source)
>  at org.w3c.www.protocol.http.HttpBasicServer.getConnection(Unknown
> Source)
>  at org.w3c.www.protocol.http.HttpBasicServer.runRequest(Unknown
> Source)
>  at org.w3c.www.protocol.http.HttpManager.runRequest(Unknown Source)
>  at org.w3c.www.protocol.http.HttpURLConnection.connect(Unknown
> Source)
>  at org.w3c.www.protocol.http.HttpURLConnection.a(Unknown Source)
>  at
> org.w3c.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
> 
> 
> So, obviously the ChainVerifier doesn't like one or both of my
> certs...
> can anyone tell me why?  If I don't specify any trusted 
> certs, I get the same output which leads me to believe that I'm doing
> something wrong.  
> 
> Any help on this would be greatly appreciated.
> 
> Thanks,
> 
> Jeff

__________________________________________________
Do You Yahoo!?
Yahoo! Mail  Free email you can access from anywhere!
http://mail.yahoo.com/
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl