JavaBlog.fr / Java.lu DEVELOPMENT,Java,Libray,Tools Java : SSL : Tool KeyStore Explorer, JDK cacerts truststore, Disable Certificate Validation in Java SSL Connections

Java : SSL : Tool KeyStore Explorer, JDK cacerts truststore, Disable Certificate Validation in Java SSL Connections

March 20, 2019March 20, 2019 | Huseyin OZVERENHuseyin OZVEREN | 0 Comment | 3:19 PM

Hello,

After my first post concerning the SSL and the tool PorteCle (http://www.javablog.fr/java-ssl-generate-keystore-self-signed-certificate-tool-portecle.html) allowing the generation of KeyStore, self-signed certificate instead of Keytool supported in the JDK / JRE, I would like to present a new tool KeyStore Explorer.

KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.

https://keystore-explorer.org/

https://keystore-explorer.org/downloads.html


JAVA CACERTS truststore

First, a truststore is used to authenticate peers. A keystore contains private keys of the clients and is used to authenticate yourself.

So, there is also a truststore ‘cacerts‘ used to authenticate the java process executed in JVM using the JDK. Java stores in this truststore the public certificates of root CAs. Java uses cacerts to authenticate java processes with remote servers (example during a proxies generation via WSDL). You could add the certificat of remote servers in the ‘cacerts‘ truststore.

The Java ‘cacerts‘ truststore is a file accessible in the folder $JAVA_HOME\jre\lib\security (ex: C:\SDK\jdk1.X.Y_ZZ\jre\lib\security).

Note : Set the JAVA_HOME (if using JDK) or JRE_HOME (if using JRE) environment variables.


It is protected by a default password (ex: “changeit” or “changeme”) which could be modified by the following commands:

view source
print?
1Add -storepass to keytool arguments.
2$JAVA_HOME/bin/keytool -storepasswd -storepass '' -keystore mykeystore.jks

But also notice that -list command does not always require a password. I could execute follow command in both cases: without password or with valid password

view source
print?
1$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts


Disable Certificate Validation in Java SSL Connections

An other solution could be disable Certificate Validation in Java SSL Connections:

view source
print?
01Caused by: javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://myserver.mydomain.lu/services/myservice/MyService1?WSDL. It failed with:
02java.security.cert.CertificateException: No subject alternative DNS name matching myserver.mydomain.lu found..
03at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:162)
04at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:144)
05at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:265)
06at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:228)
07at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:176)
08at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
09at javax.xml.ws.Service.<init>(Service.java:56)
1016 more
11Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching myserver.mydomain.lu found.
12at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
13at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1699)
14at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
15at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
16at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
17at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
18at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
19at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
20at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
21at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
22at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
23at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
24at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
25at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
26at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
27at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
28at java.net.URL.openStream(URL.java:1010)
29at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:804)
30at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:262)
31at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:129)
3222 more
33Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myserver.mydomain.lu found.
34at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
35at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
36at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
37at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
38at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
3937 more

The above error/problem could be fixed by disabling HTTPS checks using the approach presented in the web site https://nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/

view source
print?
01import java.security.KeyManagementException;
02import java.security.NoSuchAlgorithmException;
03import java.security.cert.CertificateException;
04import javax.net.ssl.HostnameVerifier;
05import javax.net.ssl.HttpsURLConnection;
06import javax.net.ssl.SSLContext;
07import javax.net.ssl.SSLSession;
08import javax.net.ssl.TrustManager;
09import javax.net.ssl.X509TrustManager;
10 
11// ….
12static {
13disableSslVerification();
14}
15 
16// ….
17private static void disableSslVerification() {
18try
19{
20// Create a trust manager that does not validate certificate chains
21TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
22public java.security.cert.X509Certificate[] getAcceptedIssuers() {
23return null;
24}
25@Override
26public void checkClientTrusted(
27java.security.cert.X509Certificate[] certs, String authType)
28throws CertificateException {
29}
30@Override
31public void checkServerTrusted(
32java.security.cert.X509Certificate[] certs, String authType)
33throws CertificateException {
34}
35}
36};
37<pre><code>        // Install the all-trusting trust manager
38        SSLContext sc = SSLContext.getInstance("SSL");
39        sc.init(null, trustAllCerts, new java.security.SecureRandom());
40        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
41 
42        // Create all-trusting host name verifier
43        HostnameVerifier allHostsValid = new HostnameVerifier() {
44            public boolean verify(String hostname, SSLSession session) {
45                return true;
46            }
47        };
48 
49        // Install the all-trusting host verifier
50        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
51    } catch (NoSuchAlgorithmException e) {
52        e.printStackTrace();
53    } catch (KeyManagementException e) {
54        e.printStackTrace();
55    }
56}



Best regards,

Huseyin OZVEREN

Tags: , , , ,

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.

Related Post