• Register
0 votes
227 views

Problem :

I am trying to setup a SSL Socket connection. But i am getting below error
javax.net.ssl.sslhandshakeexception received fatal alert bad_certificate
6 5 3
6,930 points

Please log in or register to answer this question.

3 Answers

0 votes

Solution :

1. If the server certificate is signed and valid, you will only need to open the connection as usual with the use of bellow code:

import java.net.*;
import java.io.*;

public class URLConnectionReader {
    public static void main(String[] args) throws Exception {
        URL google = new URL("https://www.google.com/");
        URLConnection yc = google.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(
                                    yc.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null) 
            System.out.println(inputLine);
        in.close();
    }
}

2. If the server's certificate is signed but you are accessing using a different IP address/domain name than the one in the certificate, you can bypass hostname verification with this:

HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String urlHostName,SSLSession session) {
        return true;
    }
};

HttpsURLConnection.setDefaultHostnameVerifier(hv);

3. If the certificate is not signed then you need to add it to the keystore used by the JVM 

Further Readings:

https://github.com/jamesdbloom/mockserver/issues/205

9 7 4
38,600 points
0 votes

When the connections are established to the 3rd party end-points, then the default setting on the instance httpclient protocol could interface with their defined handshake.

  • When the client requests the server certificate for authentication, a certificate signing request is generated.
  • To respond to the CSR, two cryptographic keys are generated by the server. A public key used to encrypt the messages to the server and private key used to decrypt the messages.
  • To establish the secure link between the client and server, the server matches the certificate to the corresponding private key. Because only the server has access to the private key, the server can decrypt the data from the client.

Symptoms:

The user can face the problem if;

  • Connections to the system use non-mutual authentication services to work fine.
  • You have installed multiple Keystore.
  • Setting the properties to empty, or match the endpoint setup for SSL handshake resolves the problem.

Cause:

There are many reasons. Here is an example of a command that registers MYHTTPS with the com.glide.certificates.DBKeyStoreSocketFactory socket on port 443. The database key store factory is used during the SSL exchange process to offer the client certificate for mutual authentication.

glide.httpclient.protocol.myhttps.class = "com.glide.certificates.DBKeyStoreSocketFactory"

glide.httpclient.protocol.myhttps.port = "4433"

Solution:

On sys_properties form set the value port to empty. If this does not work match your mutual authentication profile according to the setup for your end-point

11 5 2
3,890 points
0 votes

Solution:

You require to include the origin cert to the keystore as well.

I caught this error at the time I removed these 2 lines. In case you know your keystore has the right certs, ensure that your code is glancing at the right keystore.

System.setProperty("javax.net.ssl.keyStore", <keystorePath>));
System.setProperty("javax.net.ssl.keyStorePassword",<keystorePassword>));

I also required this VM argument: -Djavax.net.ssl.trustStore=/app/certs/keystore.jk See here for more details: https://stackoverflow.com/a/34311797/1308453

Take steps that the server certificate is signed and valid, you just require to open the connection as usual:

import java.net.*;
import java.io.*;

public class URLConnectionReader {
    public static void main(String[] args) throws Exception {
        URL google = new URL("https://www.google.com/");
        URLConnection yc = google.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(
                                    yc.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null) 
            System.out.println(inputLine);
        in.close();
    }
}

Note that the URL has the HTTPS schema to imply the use of SSL.

In case the server's certificate is signed however you are accessing employing a different IP address/domain name than the one in the certificate, you can bypass hostname verification with this:

HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String urlHostName,SSLSession session) {
        return true;
    }
};

HttpsURLConnection.setDefaultHostnameVerifier(hv);

I the certificate is not signed then you require to include it to the keystore used by the JVM (useful commands).

On sys_properties form, fixed the value of glide.httpclient.protocol.myhttps.class and glide.httpclient.protocol.myhttps.port, to empty. In case this does not perform, match your reciprocal authentication profile value accordingly to the establishment for your end-point.

At one time you have uploaded the CA-signed certificate to the example of your end-point, and you have created separate certificate records for them, you must only update the key-store reference field on the existing myhttps protocol profile. In case you make another protocol profile for the testing or the production environment, you might run into link errors at the time attempting to link to the target system. Hence, with a view to  preventing few unexpected behavior, retain just one protocol profile called myhttps, and only update the references to the CA-signed key-store. Further, ensure that the key-store file name assures only small letters, as you might end up having authentication issues.

10 6 4
31,120 points

Related questions

0 votes
1 answer 364 views
364 views
Problem : I am trying to call an SSL protected web service running on JDK7 based client, but getting bellow error javax.net.ssl.sslexception received fatal alert unexpected_message
asked Nov 5, 2019 peterlaw 6.9k points
0 votes
2 answers 378 views
378 views
Problem : Has anyone faced this error before? I am new to SSL javax.net.ssl.sslexception: received fatal alert: protocol_version
asked Nov 2, 2019 peterlaw 6.9k points
0 votes
1 answer 365 views
365 views
Problem : I have a java complied package and it is sopposed to communicate with https server on net. But when i try running the compilation gives the following exception: javax.net.ssl.sslexception: unrecognized ssl message, plaintext connection?
asked Oct 23, 2019 peterlaw 6.9k points
0 votes
2 answers 1.2K views
1.2K views
Problem: I am attempting to download records from a https webpage and continue getting the accompanying error: OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Unable to establish SSL connection. From perusing sites online I assemble I need to give ... alternative however that didn't work. wget version: wget-1.13.4 openssl version: OpenSSL 1.0.1f 6 Jan 2014
asked Nov 30, 2019 alecxe 7.5k points
0 votes
1 answer 1.9K views
1.9K views
Problem : I had to remove a +CompatEnvVars from following : SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire As it said it was an invalid command or something. So having removed that and following a instructions to a nail it get below error: ... maximum permissible length. (Error code: ssl_error_rx_record_too_long) I am very new to SSL, any advice on what is going wrong?
asked Jan 17, 2020 jwilliam 3.9k points
0 votes
1 answer 10 views
10 views
Has anyone encountered this error before?
asked Dec 28, 2020 TeamScript 10.3k points
0 votes
1 answer 139 views
139 views
Problem : With my two classes I want to connect to the MySQL database. But, I always get below error: Wed Dec 04 10:46:52 CET 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ ... public void close(){ if(conn != null){ try { conn.close(); } catch (SQLException e) { e.printStackTrace(); } } } }
asked Dec 4, 2019 alecxe 7.5k points
1 vote
2 answers 122 views
122 views
Problem: I am able to login through webservices api to particular account on 'Oracle on demand'. When i tries to call 'accountQueryPage' method of the stub class (Stub class is generated with help Account.wsdl file), i got the following exception java.net.SocketException: Software caused connection abort: recv failed Can anyone give me some pointers.
asked Mar 27, 2020 LizzyM 6.1k points
2 votes
1 answer 30 views
30 views
Problem: I am able to login through webservices api to particular account on 'Oracle on demand'. When i tries to call 'accountQueryPage' method of the stub class (Stub class is generated with help Account.wsdl file), i got the following exception java.net.SocketException: Software caused connection abort: recv failed Can anyone give me some pointers.
asked Mar 24, 2020 LizzyM 6.1k points