I have to connect to a server via SSL dual authentication. I have added my own private key plus certificate to a keystore.jks and the self signed certificate of the server to a truststore.jks, both files are copied to /usr/share/tomcat7. The socket factory used by my code is delivered by the following provider:
@Singleton
public static class SecureSSLSocketFactoryProvider implements Provider<SSLSocketFactory> {
private SSLSocketFactory sslSocketFactory;
public SecureSSLSocketFactoryProvider() throws RuntimeException {
try {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
final InputStream trustStoreFile = new FileInputStream("/usr/share/tomcat7/truststore.jks");
trustStore.load(trustStoreFile, "changeit".toCharArray());
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
final InputStream keyStoreFile = new FileInputStream("/usr/share/tomcat7/keystore.jks");
keyStore.load(keyStoreFile, "changeit".toCharArray());
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "changeit".toCharArray());
final SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
this.sslSocketFactory = sslContext.getSocketFactory();
} catch (final KeyStoreException e) {
Log.error("Key store exception: {}", e.getMessage(), e);
} catch (final CertificateException e) {
Log.error("Certificate exception: {}", e.getMessage(), e);
} catch (final UnrecoverableKeyException e) {
Log.error("Unrecoverable key exception: {}", e.getMessage(), e);
} catch (final NoSuchAlgorithmException e) {
Log.error("No such algorithm exception: {}", e.getMessage(), e);
} catch (final KeyManagementException e) {
Log.error("Key management exception: {}", e.getMessage(), e);
} catch (final IOException e) {
Log.error("IO exception: {}", e.getMessage(), e);
}
}
@Override
public SSLSocketFactory get() {
return sslSocketFactory;
}
}
When I try to connect to an endpoint on the server I get the following exception though:
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_45]
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.7.0_45]
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959) ~[na:1.7.0_45]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077) ~[na:1.7.0_45]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[na:1.7.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ~[na:1.7.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) ~[na:1.7.0_45]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.7.0_45]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.7.0_45]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.7.0_45]
Any idea what I have missed here?
If you get an alert unknown_ca
back from the server, then the server did not like the certificate you've send as the client certificate, because it is not signed by a CA which is trusted by the server for client certificates.