stackoom
  简体   繁体   中英

Java client SSL Socket unknown_ca

 原文  2014-01-08 15:17:55       java/ ssl/ smartcard

Question

I'd like to be able to connect to an https site that requires a personal certificate from a smart card for authentication. I think I'm very close to having it work, but not sure how to get past this exception: 

javax.net.ssl.SSLHandshakeException: Recieved fatal alert: unknown_ca

I'm not able to share my code because of contract, but here's a summary:

I created a keystore that contains all certificates that I exported out of my browser. I use this keystore as the truststore for the SSLContext. I'm pretty certain this keystore contains the correct CA certificates to verify the remote site's cert because it fixes the "unable to find valid certification path to requested target" exception.

I can programmatically create a keystore using the smart card reader as a provider similar to technique described here: Common Access Card (CAC) Authentication Using Java . The keystore created from the smart card contains my personal certificates. When I use that as the keystore for the SSLContext, this resolves the error message: "Received fatal alert: handshake_failure".

So, it seems I'm getting closer! But the most recent stacktrace I'm seeing is: 

javax.net.ssl.SSLHandshakeException: Recieved fatal alert: unknown_ca

I added the jvm flag -Djavax.net.debug=ssl and I am seeing good ssl debug info, but not sure how to read the debug trace to figure out which ca is unkown?

One question: The truststore keystore contains all the CA certs. However the keystore created from smart card does not contain any of the CA certs (it only contains the personal certs found on smart card). Maybe I need to add CA's to the keystore?

Andy other suggestions/thoughts about what I might be missing and/or how to interpret ssl debug output?

1 answers

solution1
 0  2014-01-09 01:12:42

It seems that I needed to pass the provider when creating the keystore from the smart card.

To create the keystore from the smart card, I created a card.config file and then used this code as described here: Common Access Card (CAC) Authentication Using Java : 

Provider provider = new sun.security.pkcs11.SunPKCS11("card.config");
Security.addProvider(provider);

Then, I used code like this to create the keystore: 

KeyStore ks = KeyStore.getInstance("PKCS11");

Changing that line to the following seems to have fixed the "unknown_ca" issue: 

KeyStore ks = KeyStore.getInstance("PKCS11", provider);

Update: After adding provider as second param, it worked for a while but now I'm seeing the unknown_ca error again?!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL connection from Java client (Eclipse Paho) to mosquitto broker: “unknown_ca” SSLHandshakeException unknown_ca apns java javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca glassfish SSLHandshakeException: Received fatal alert: unknown_ca Received fatal alert: unknown_ca while mutual authentication handshake_failure and UNKNOWN_CA after importing second .p12 to keystore Spring Boot connection to AWS RDS MySQL - SSLHandshakeException: Received fatal alert: unknown_ca Java Trusting ssl CA java ssl certificate & CA Java Client/Server SSL Socket Chat
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM