0

This is how browser deals with ssl certificate when connecting to https site

  1. When i type https://myDemoSite.com in browser , first of all my browser asks for the certificate from myDemoSite.com(due to https), then myDemoSite send that certificate to browser

  2. Once browser receives that certificate, browser will check whether it is signed by verified authority or not like verisign

  3. If yes from second step,then as third step it checks whether certificate issues has same url which user in browser typed

Now i am connecting the https site through java program say HttpsConnectProg1.My question is how the programmei.e HttpsConnectProg1 will deal with this certificate issued with https site connection(though certificate issued by this https site is cerified i.e signed by verified authority).

I just tried a small programme connecting to https site which issues the certified certificate. I was expected some error like sslhandshake error or some certificate error (as i did not add this this certified certificate in $JAVA_HOME\jre\lib\security folder)but to my surprise i did not get any error .

Now important question is does HttpsConnectProg1 checks step 3 done by browser as it is very important step? For your reference here it is 

 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Properties;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLSession;


 public class ConnectToDemoSite {

/**
 * @param args
 */
public static void main(String[] args) {
    // TODO Auto-generated method stub

    String urlStr = "https://www.myDemoSite.com/demo1/";
    URL url;
    Properties reply = new Properties();
    try {
        url = new URL(urlStr);
        URLConnection conn = url.openConnection();
        if(conn instanceof HttpsURLConnection)
        {
        HttpsURLConnection conn1 = (HttpsURLConnection)url.openConnection();
            conn1.setHostnameVerifier(new HostnameVerifier()  
            {        
                public boolean verify(String hostname, SSLSession session)  
                {  
                    return true;  
                }  
            });  

        reply.load(conn1.getInputStream());
        }
        else 
        {
             conn = url.openConnection();
             reply.load(conn.getInputStream());
        }
    } catch (MalformedURLException e) {
       e.printStackTrace();
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }
    catch (Exception e) {
        e.printStackTrace();
    }
    System.out.println("reply is"+reply);



 }

}
n3utrino
  • 2,361
  • 3
  • 22
  • 32
M Sach
  • 33,416
  • 76
  • 221
  • 314

2 Answers2

3

When you make a connection to an https:// URI with Java, it uses the Java Secure Socket Extension (JSSE) (unless you really want to use a custom implementation of SSL/TLS, but that's very rare).

There are multiple ways of tweaking the trust management (mainly be using custom TrustManagers), but it will use a certain number of sensible settings otherwise.

In your example, the certificate will be verified using the default SSLContext, itself configured with the default X509TrustManager, with trust anchors read from cacerts (see the table in the Customization section of the JSSE Ref. Guide).

By default, the JRE comes with a number of pre-trusted CA certificates (like most browsers or OSes) in cacerts, which is usually similar to what you would find in browsers. Here is what the JSSE Ref. Guide says about it:

IMPORTANT NOTE: The JDK ships with a limited number of trusted root certificates in the /lib/security/cacerts file. As documented in keytool, it is your responsibility to maintain (that is, add/remove) the certificates contained in this file if you use this file as a truststore.

Depending on the certificate configuration of the servers you contact, you may need to add additional root certificate(s). Obtain the needed specific root certificate(s) from the appropriate vendor.

If the certificate is trusted, it then checks whether the host name is valid for the intended URL. (Note that it's not the full URL that is checked, but the host name only.)

Those rules are defined in RFC 2818 (the HTTPS specification), Section 3.1. (Java 7 doesn't implement RFC 6125 yet, but the rules are very similar, especially for HTTPS.) EDIT: When the connection is established, the URLConnection (and the underlying SSLSession) is set with the host name of the server. In short, following the rules in RFC 2818, it looks into the server certificate for a DNS entry in the Subject Alternative Name (SAN) extension of the certificate to see if it matches the host name set for the connection, or look for that name in the certificate's Subject DN's Common Name (CN), when no SAN DNS entry is present.

The host name verification is normally done by the default host name verifier. In your example, you've replaced the default verifier by one that always returns true. Hence, this verification will not actually happen in your case, and everything will be accepted (you're introducing a security hole by doing this).

In addition, the default host name verification done in Java follows RFC 2818 more strictly than a number of browsers. In particular, it won't accept IP addresses in CNs.

(For the same reason as you should use a host name verifier that always returns true, you shouldn't use trust managers that don't do anything, as you'll see a number of examples around, offering a quick fix for some SSL error messages.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Two questions i.e Question1:- As you told If the certificate is trusted, it then checks whether the host name is valid for the intended URL. It seems that certficates also has host information in it so that HttpsURLConnection can check whether host in certificates matches with url programme is trying to connect. RIGHT? Question 2:- As you said In your example, you've replaced the default verifier by one that always returns true, i did it becoz i was getting some weird error and i was using self signed certificate that time. I am not is it a good practice to return true even – M Sach May 30 '12 at 10:39
  • I've added a bit more about question 1: it does compare the host name with some information in the certificate (SAN extension or CN) indeed. Regarding question 2, you should always verify the host name anyway; the only exception to this is if you want to pin a specific certificate down for a specific host, but you would have to verify this exception manually beforehand (similar to the checks you make in Firefox when you want to add a manual exception: you'd need to look at the cert to check it's what you expect, using other trusted sources of information). – Bruno May 30 '12 at 10:51
  • A bit more on question 2. You said you should always verify the host name anyway. As per my understanding it will be done automatically if i don't return the true inside verify method explicitlty? You also said in original post that For the same reason as you should use a host name verifier that always returns true, you shouldn't use trust managers that don't do anything. I think you are saying if am returning true inside verify method, My trust managers should take care of matching host name logic ? – M Sach May 30 '12 at 11:32
  • No, I'm saying you shouldn't set a custom host name verifier. Use the default one. – Bruno May 30 '12 at 11:55
1

Java includes root certificates from well-known certificate authorities, so if you have a real certificate, it operates much like a browser.

If you sign your own certificate, a browser will warn you and provide a UI to enable use of the certificate in the future. This is where things diverge for a Java program—the right way to handle this depends entirely on the program you are writing, and there can't be a one-size-fits-all approach.

If your application has a UI, you could do something similar to what a browser does.

On the other hand, a "headless" application is usually pre-configured with the necessary root certificates.

In the end, both browsers and the Java PKIX validation libraries are maintaining the security of TLS by requiring you to provide or approve the root certificates on which authentication ultimately depend. Without trusted root certificates, it is impossible to authenticate a server, and thus impossible to ensure privacy or integrity of communications.

erickson
  • 265,237
  • 58
  • 395
  • 493