SSL Notes

  • Post author:
  • Post category:Java

We have a (very) old project running on Java 1.4, and today we had to struggle with getting SSL HTTP requests to work on it. Since very few have this problem, we’ll just list down various things that are SSL related that we touched on today.

1. Old Java versions won’t have the latest root certificates, so you will have to add them manually. For example, Java 5 doesn’t have the Comodo Essential SSL certificates, so you can get them from the Comodo Root & Intermediate Certificates download page.

Another way of getting the certificates is to get them from your browser. In IE, go to Tools -> Internet Options -> Certificates. In Firefox, go to Options -> Advanced -> Encryption. In Chrome, go to Settings -> Show advanced settings -> Manage certificates. Look for the certificate you need and do an export.

2. In Windows 7, when you run commands that make changes to files under JRE_HOME, make sure you run cmd.exe as Administrator.

3. When working with keytool and it asks for a password, use the default password “changeit”.

4. To view the certificates inside the keystore, use command keytool -list.

%JRE_HOME%bin/keytool -list -v -keystore %JRE_HOME%libsecuritycacerts

5. To add new root and intermediate certificates, run keytool -import. For example:

%JRE_HOME%binkeytool -import -trustcacerts -alias EssentialSSL -file EssentialSSLCA_2.crt -keystore %JRE_HOME%libsecuritycacerts

To add EssentialSSL to Java 5, we had to import EssentialSSLCA_2.crt, ComodoUTNSGCCA.crt, and UTNAddTrustSGCCA.crt.

6. To add a self-signed certificate, also use keytool -import, without the -trustcacerts option. For example:

%JRE_HOME%binkeytool -import -alias SelfSignedCert -file SelfSignedCert.crt -keystore %JRE_HOME%libsecuritycacerts

7. Here are the most common keytool commands from SSL Shopper.

8. If you wish to use your own keystore file, instead of the default %JRE_HOME%/lib/security/cacerts, use the javax.net.ssl.keyStore system property.

-Djavax.net.ssl.keyStore=/home/user/cacerts

9. If you wish to view the certificate chain for debugging purposes, you can use openssl or sslshopper.com.

openssl s_client -host www.example.com -port 443

http://www.sslshopper.com/ssl-checker.html#hostname=www.example.com

10. To disable certificate validation for testing purposes, use the all trusting X509TrustManager.

import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;

public static void disableX509TrustManager() {
	try {
		SSLContext context = SSLContext.getInstance("SSLv3");
		TrustManager[] trustManagerArray = { new NullX509TrustManager() };
		context.init(null, trustManagerArray, null);
		HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
	} catch (Exception e) {
		e.printStackTrace();
	}
}

private static class NullX509TrustManager implements X509TrustManager {

	public void checkClientTrusted(X509Certificate[] cert, String authType) {
	}

	public void checkServerTrusted(X509Certificate[] cert, String authType) {
	}

	public X509Certificate[] getAcceptedIssuers() {
		return null;
	}
}