• Register
0 votes
189 views

Problem :

I am trying to setup a SSL Socket connection. But i am getting below error
javax.net.ssl.sslhandshakeexception received fatal alert bad_certificate
6 5 3
6,930 points

3 Answers

0 votes

Solution :

1. If the server certificate is signed and valid, you will only need to open the connection as usual with the use of bellow code:

import java.net.*;
import java.io.*;

public class URLConnectionReader {
    public static void main(String[] args) throws Exception {
        URL google = new URL("https://www.google.com/");
        URLConnection yc = google.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(
                                    yc.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null) 
            System.out.println(inputLine);
        in.close();
    }
}

2. If the server's certificate is signed but you are accessing using a different IP address/domain name than the one in the certificate, you can bypass hostname verification with this:

HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String urlHostName,SSLSession session) {
        return true;
    }
};

HttpsURLConnection.setDefaultHostnameVerifier(hv);

3. If the certificate is not signed then you need to add it to the keystore used by the JVM 

Further Readings:

https://github.com/jamesdbloom/mockserver/issues/205

9 7 4
38,600 points
0 votes

When the connections are established to the 3rd party end-points, then the default setting on the instance httpclient protocol could interface with their defined handshake.

  • When the client requests the server certificate for authentication, a certificate signing request is generated.
  • To respond to the CSR, two cryptographic keys are generated by the server. A public key used to encrypt the messages to the server and private key used to decrypt the messages.
  • To establish the secure link between the client and server, the server matches the certificate to the corresponding private key. Because only the server has access to the private key, the server can decrypt the data from the client.

Symptoms:

The user can face the problem if;

  • Connections to the system use non-mutual authentication services to work fine.
  • You have installed multiple Keystore.
  • Setting the properties to empty, or match the endpoint setup for SSL handshake resolves the problem.

Cause:

There are many reasons. Here is an example of a command that registers MYHTTPS with the com.glide.certificates.DBKeyStoreSocketFactory socket on port 443. The database key store factory is used during the SSL exchange process to offer the client certificate for mutual authentication.

glide.httpclient.protocol.myhttps.class = "com.glide.certificates.DBKeyStoreSocketFactory"

glide.httpclient.protocol.myhttps.port = "4433"

Solution:

On sys_properties form set the value port to empty. If this does not work match your mutual authentication profile according to the setup for your end-point

11 5 1
3,890 points
0 votes

Solution:

You require to include the origin cert to the keystore as well.

I caught this error at the time I removed these 2 lines. In case you know your keystore has the right certs, ensure that your code is glancing at the right keystore.

System.setProperty("javax.net.ssl.keyStore", <keystorePath>));
System.setProperty("javax.net.ssl.keyStorePassword",<keystorePassword>));

I also required this VM argument: -Djavax.net.ssl.trustStore=/app/certs/keystore.jk See here for more details: https://stackoverflow.com/a/34311797/1308453

Take steps that the server certificate is signed and valid, you just require to open the connection as usual:

import java.net.*;
import java.io.*;

public class URLConnectionReader {
    public static void main(String[] args) throws Exception {
        URL google = new URL("https://www.google.com/");
        URLConnection yc = google.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(
                                    yc.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null) 
            System.out.println(inputLine);
        in.close();
    }
}

Note that the URL has the HTTPS schema to imply the use of SSL.

In case the server's certificate is signed however you are accessing employing a different IP address/domain name than the one in the certificate, you can bypass hostname verification with this:

HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String urlHostName,SSLSession session) {
        return true;
    }
};

HttpsURLConnection.setDefaultHostnameVerifier(hv);

I the certificate is not signed then you require to include it to the keystore used by the JVM (useful commands).

On sys_properties form, fixed the value of glide.httpclient.protocol.myhttps.class and glide.httpclient.protocol.myhttps.port, to empty. In case this does not perform, match your reciprocal authentication profile value accordingly to the establishment for your end-point.

At one time you have uploaded the CA-signed certificate to the example of your end-point, and you have created separate certificate records for them, you must only update the key-store reference field on the existing myhttps protocol profile. In case you make another protocol profile for the testing or the production environment, you might run into link errors at the time attempting to link to the target system. Hence, with a view to  preventing few unexpected behavior, retain just one protocol profile called myhttps, and only update the references to the CA-signed key-store. Further, ensure that the key-store file name assures only small letters, as you might end up having authentication issues.

10 6 4
31,120 points

Related questions

0 votes
1 answer 243 views
243 views
Problem : I am trying to call an SSL protected web service running on JDK7 based client, but getting bellow error javax.net.ssl.sslexception received fatal alert unexpected_message
asked Nov 5, 2019 peterlaw 6.9k points
0 votes
2 answers 323 views
323 views
Problem : Has anyone faced this error before? I am new to SSL javax.net.ssl.sslexception: received fatal alert: protocol_version
asked Nov 2, 2019 peterlaw 6.9k points
0 votes
1 answer 244 views
244 views
Problem : I have a java complied package and it is sopposed to communicate with https server on net. But when i try running the compilation gives the following exception: javax.net.ssl.sslexception: unrecognized ssl message, plaintext connection?
asked Oct 23, 2019 peterlaw 6.9k points
0 votes
2 answers 794 views
794 views
Problem: I am attempting to download records from a https webpage and continue getting the accompanying error: OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Unable to establish SSL connection. From perusing sites online I assemble I need to give ... alternative however that didn't work. wget version: wget-1.13.4 openssl version: OpenSSL 1.0.1f 6 Jan 2014
asked Nov 30, 2019 alecxe 7.5k points