stackoom
  简体   繁体   中英

SSL Certificate Upgrade causing Issues

 原文  2011-03-29 00:19:25       java/ ssl/ httpclient/ ssl-certificate

Question

We are talking to a remote server for authenticating a user. The web server uses a SSL certificate signed by Verisign. The data is exchanged over HTTPs and we have configured our ThreadSafeClientConnManager to use the JVM default SSL factory: 

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", PlainSocketFactory
                .getSocketFactory(), 80));
schemeRegistry.register(new Scheme("https", SSLSocketFactory
                .getSocketFactory(), 443));
ClientConnectionManager manager = new ThreadSafeClientConnManager(
                sDefaultHttpParams, schemeRegistry);

Recently, the web server updated their SSL certificates and this has caused our application to break. What can we do to avoid this problem?

Please help.

1 answers

solution1
 2 ACCPTED  2011-03-29 00:40:05

There is nothing you can really do to "avoid" the problem because it isn't really a problem, it is a core "feature" of SSL certificates and authority trust.

This is a pretty broad question, more detail could help pinpoint the exact problem, but here are the first 2 things to check.

  1. What CA did they upgrade their SSL cert to use? Is it self-signed?
    If the site has been upgraded to use an SSL cert that either uses a non-standard root certificate authority then you need to either import the specific SSL cert using keytool to tell your local JVM that the cert is trusted. If they are using a new authority (and your organization trusts that root authority) then you may need to import a new root certificate authority, most majors are supported by default but I have been forced to import new ones on occasion.

http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html

  1. Make sure their cert is chained correctly. The 2nd most common problem I have seen is cert chaining (install) by the site admins. Unfortunately IE/Mozilla/Java... all use different validation mechanisms to make sure SSL certs are "valid" and I have found that many site admins don't know how to properly chain a cert to the appropriate root authority on their site. You should open the cert in a browser (I would open it in multiple) and inspect the chain of trust to make sure the cert chains from the site all the way back up to the expected root CA. (This is also how you can check the root CA for #1). If it does not have a chain of trust then the JVM SSL validation will fail (whereas I have seen Internet Explorer call a non-chained cert "valid" in older versions of IE).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question upgrade of cordova 1.8.1 to cordova 3.6.3 causing issues Calling SSL URL from Java gives certificate issues How can a waitfor task ignore SSL certificate issues? Rabbit SSL configuration not working-{ssl_upgrade_error,{tls_alert,“certificate unknown”}} Ignore SSL Certificate in a Servlet SSL Certificate Not getting passed SSL Certificate in Spring Boot Java SSL Certificate SSL Certificate Expired Exception SSL no suitable certificate found
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM