如何建立与mail.google.com的单向SSL连接？

Question

I am trying to establish a one way SSL connection to mail.google.com through java. I supposed mail.google.com is the same as gmail, so I created a certificate for gmail.com using the instructions provided here .

I created the cert as follows -

$ openssl s_client -connect smtp.gmail.com:465

Then I copied the

-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----

section into a file called "gmail.cert".

After that, I created my own keystore using the following command, setting the password to "password" -

$ keytool -import -alias smtp.gmail.com -keystore simpleKS.jks -file gmail.cert

I used the Java code provided at this link, with minor modifications:

    System.setProperty("javax.net.ssl.trustStore", "simpleKS.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "password");
    System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");

    //connect to google          
    SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket sslSock = (SSLSocket) factory.createSocket("mail.google.com",443);

    System.out.println("Sending request...");         
    //send HTTP get request
    BufferedWriter wr = new BufferedWriter(new OutputStreamWriter(sslSock.getOutputStream(), "UTF8"));           
    wr.write("GET /mail HTTP/1.1\r\nhost: mail.google.com\r\n\r\n");
    wr.flush();

    System.out.println("Reading response...");

    // read response
    BufferedReader rd = new BufferedReader(new InputStreamReader(sslSock.getInputStream()));          
    String string = null;

    while ((string = rd.readLine()) != null) {
        System.out.println(string);
        System.out.flush();
    }

    rd.close();
    wr.close();
    // Close connection.
    sslSock.close();    

The class file and the keystore (and all other files) are in the same directory, so I am pretty sure it is not an issue with finding the actual keystore file.

However, when I execute this code, I get

Sending request...
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What am I doing wrong?

Answer 1

Guess this is because the certs differ a bit for each protocol used see . So you might have to play arround with openssl to convert the cert to be used for another protocol.

Your error message states the same, it doesn't find a cert for mail.google.com since you only provided one for smtp.gmail.com.

(disclaimer i'm no ssl guru, just trying to point in a hopefully right direction)