Hello,
After my first post concerning the SSL and the tool PorteCle (http://www.javablog.fr/java-ssl-generate-keystore-self-signed-certificate-tool-portecle.html) allowing the generation of KeyStore, self-signed certificate instead of Keytool supported in the JDK / JRE, I would like to present a new tool KeyStore Explorer.
KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.
https://keystore-explorer.org/
https://keystore-explorer.org/downloads.html
JAVA CACERTS truststore
First, a truststore is used to authenticate peers. A keystore contains private keys of the clients and is used to authenticate yourself.
So, there is also a truststore ‘cacerts‘ used to authenticate the java process executed in JVM using the JDK. Java stores in this truststore the public certificates of root CAs. Java uses cacerts to authenticate java processes with remote servers (example during a proxies generation via WSDL). You could add the certificat of remote servers in the ‘cacerts‘ truststore.
The Java ‘cacerts‘ truststore is a file accessible in the folder $JAVA_HOME\jre\lib\security (ex: C:\SDK\jdk1.X.Y_ZZ\jre\lib\security).
Note : Set the JAVA_HOME
(if using JDK) or JRE_HOME
(if using JRE) environment variables.
It is protected by a default password (ex: “changeit” or “changeme”) which could be modified by the following commands:
1 | Add -storepass to keytool arguments. |
2 | $JAVA_HOME/bin/keytool -storepasswd -storepass '' -keystore mykeystore.jks |
But also notice that -list command does not always require a password. I could execute follow command in both cases: without password or with valid password
1 | $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts |
Disable Certificate Validation in Java SSL Connections
An other solution could be disable Certificate Validation in Java SSL Connections:
01 | Caused by: javax.xml.ws.WebServiceException: Failed to access the WSDL at: https: |
02 | java.security.cert.CertificateException: No subject alternative DNS name matching myserver.mydomain.lu found.. |
03 | at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java: 162 ) |
04 | at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java: 144 ) |
05 | at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java: 265 ) |
06 | at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java: 228 ) |
07 | at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java: 176 ) |
08 | at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java: 104 ) |
09 | at javax.xml.ws.Service.<init>(Service.java: 56 ) |
11 | Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching myserver.mydomain.lu found. |
12 | at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java: 174 ) |
13 | at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java: 1699 ) |
14 | at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java: 241 ) |
15 | at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java: 235 ) |
16 | at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java: 1206 ) |
17 | at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java: 136 ) |
18 | at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java: 593 ) |
19 | at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java: 529 ) |
20 | at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java: 893 ) |
21 | at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java: 1138 ) |
22 | at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java: 1165 ) |
23 | at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java: 1149 ) |
24 | at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 434 ) |
25 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java: 166 ) |
26 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java: 1172 ) |
27 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java: 234 ) |
28 | at java.net.URL.openStream(URL.java: 1010 ) |
29 | at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java: 804 ) |
30 | at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java: 262 ) |
31 | at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java: 129 ) |
33 | Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myserver.mydomain.lu found. |
34 | at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java: 193 ) |
35 | at sun.security.util.HostnameChecker.match(HostnameChecker.java: 77 ) |
36 | at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java: 264 ) |
37 | at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java: 250 ) |
38 | at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java: 1185 ) |
The above error/problem could be fixed by disabling HTTPS checks using the approach presented in the web site https://nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/
01 | import java.security.KeyManagementException; |
02 | import java.security.NoSuchAlgorithmException; |
03 | import java.security.cert.CertificateException; |
04 | import javax.net.ssl.HostnameVerifier; |
05 | import javax.net.ssl.HttpsURLConnection; |
06 | import javax.net.ssl.SSLContext; |
07 | import javax.net.ssl.SSLSession; |
08 | import javax.net.ssl.TrustManager; |
09 | import javax.net.ssl.X509TrustManager; |
13 | disableSslVerification(); |
17 | private static void disableSslVerification() { |
21 | TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { |
22 | public java.security.cert.X509Certificate[] getAcceptedIssuers() { |
26 | public void checkClientTrusted( |
27 | java.security.cert.X509Certificate[] certs, String authType) |
28 | throws CertificateException { |
31 | public void checkServerTrusted( |
32 | java.security.cert.X509Certificate[] certs, String authType) |
33 | throws CertificateException { |
37 | <pre><code> |
38 | SSLContext sc = SSLContext.getInstance("SSL"); |
39 | sc.init( null , trustAllCerts, new java.security.SecureRandom()); |
40 | HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); |
43 | HostnameVerifier allHostsValid = new HostnameVerifier() { |
44 | public boolean verify(String hostname, SSLSession session) { |
50 | HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid); |
51 | } catch (NoSuchAlgorithmException e) { |
53 | } catch (KeyManagementException e) { |
Best regards,
Huseyin OZVEREN
Related