0

I have simple Java StompClient connecting to Java websocket events. It works when server is configured as ws. Not able to connect when server is configured as wss. Code snippted below...

KeyStore truststore = KeyStore.getInstance("JKS");
truststore.load(this.getClass().getResourceAsStream("/truststore.jks"), "<hidden_pwd_for_thispost>".toCharArray());
KeyStore keystore = KeyStore.getInstance("JKS");;
keystore.load(this.getClass().getResourceAsStream("/keystore.jks"), "<hidden_pwd_for_thispost>".toCharArray());

SSLContext sslContext = new 
SSLContextBuilder().loadTrustMaterial(truststore, acceptingTrustStrategy);
            .loadKeyMaterial(keystore, "<hidden_pwd_forthisPost>".toCharArray()).build();
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
StandardWebSocketClient client = new StandardWebSocketClient();
client.getUserProperties().clear();
client.getUserProperties().put("org.apache.tomcat.websocket.SSL_CONTEXT", sslContext);
WebSocketStompClient stompClient = new WebSocketStompClient(client);   
ListenableFuture<StompSession> sessionFuture = stompClient.connect(url, handler);
session = sessionFuture.get();

Exception

Caused by: java.security.cert.CertificateException: No name matching <myhost> found
at sun.security.util.HostnameChecker.matchDNS(Unknown Source)
at sun.security.util.HostnameChecker.match(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)

Please note I have build keyStore and selfSigned trustStore locally. Anf both keyStore and trustStore has CN as my hostname. Verified above by running keytool -list

Can some please suggest. Your help much appreciated.

Apologies if this question is already answered, i have searched for while with no result. Hence posting.

Thanks,

Prashanth G
  • 31
  • 1
  • 7

1 Answers1

0

Does the Subject Alternative Name in your certificate match the Server Host name?

X509v3 extensions:
    X509v3 Subject Alternative Name:
        DNS:<**HOST name which matches the server host name**>

You can check this by using below steps:

•   openssl s_client -connect <serverhostname>:<port on which you connect>
•   Copy the string from -----BEGIN CERTIFICATE-----  till     -----END CERTIFICATE-----
•   Paste the string into a .pem file, for example:- “test.pem”
•   Run command:   openssl x509 -in test.pem -noout -text

If SAN doesn't have the host name, then DN comes into picture: Refer this:- CertificateException: No name matching ssl.someUrl.de found

UPDATE:

If you are trying to achieve mutual authentication, that means both the server and the client should have their own certificate. Based on the code _stompClient.connect(url, handler); it seems to me that the Websocket server called by StompClient is acting as the server here, and your calling code is the client. Based on this understanding, you must configure your certificates correctly. I think you need to provide more details to the question to clarify how you have set things up. SSL is a complex topic, even a slight mistake in configuration can result in an error.(evident from the fact that WS is working but not WSS)

UPDATE:

Based on your updated comment, it means that client certificate is not in picture, so no mutual authentication, but only server certificate will be used by the client, and it will check if it trusts the server certificate which means the CA which signs the server certificate should be present in the client's trust store. If your server is accessible as a web-server you could try opening it via the browser and checking if it shows a valid certificate if you use https to access any resource/UI. That should at-least help in figuring out whether the certificate is properly configured or not.

A_C
  • 905
  • 6
  • 18
  • Hi, Thanks for your reply. Did all the steps mentioned. I see no tag which matches. X509v3 extensions: X509v3 Subject Alternative Name: Is there any other way than hacking /etc/host to map to ipaddress of CN={host_name_in_server_certificate} ? I am writing is a client, we could potentially connect to difft server(s) Thanks! – Prashanth G Oct 18 '18 at 12:30
  • Ok, how did you verify that the CN is correct in your keystore? Also, you mentioned that you created a Self Signed trust store which seems to be incorrect. I hope you meant a self signed certificate. May be refer to this and verify you followed the steps correctly:- https://community.pivotal.io/s/article/Generating-a-self-signed-SSL-certificate-using-the-Java-keytool-command or for more detailed info:- https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html – A_C Oct 18 '18 at 12:34
  • Remember trust store should store trusted CA certs, and key store should store your actual server certificate and private key. Also, it is important to note what type of SSL you are trying to achieve and what is acting as a server and the client? Are you trying to achieve mutual SSL authentication or only Server authentication? – A_C Oct 18 '18 at 12:38
  • Yeah I meant self signed certificate. I have used https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-self-signed-certificate-and-configure-custom-identity-and-custom-trust-with-weblogic-server-using-keytool to generate it. keytool -list on .jks shows CN={hostname_that_am_connecting} that is how i verified. – Prashanth G Oct 18 '18 at 12:40
  • I am trying to acheive mutual SSL authentication – Prashanth G Oct 18 '18 at 12:41
  • If you are trying to achieve mutual authentication, that means both the server and the client should have their own certificate. Based on the code _stompClient.connect(url, handler); it seems to me that the StompClient is acting as the server here, and your calling code is the client. Based on this understanding, you must configure your certificates correctly. I think you need to provide more details to the question to clarify how you have set things up. SSL is a complex topic, even a slight mistake in configuration can result in an error.(evident from the fact that WS is working but not WSS) – A_C Oct 18 '18 at 12:48
  • Hi, I am trying to subscribe to websocked topics using StompClient. After connect code, is like session.subscribe(topic,handler); So on individual update on websocket topic, separate business logic is handled. Agree on WSS part! – Prashanth G Oct 18 '18 at 13:08
  • For now. We are going with using certificate which has same CN as server. Mapping CN with actual ip in/etx/host. Thanks! for all the clarification. – Prashanth G Oct 18 '18 at 13:16
  • This means that client certificate is not in picture, so no mutual authentication, but only server certificate will be used by the client, and it will check if it trusts the server certificate which means the CA which signs the server certificate should be present in the client's trust store. If your server is accessible as a web-server you could try opening it via the browser and checking if it shows a valid certificate if you use https to access any resource/UI. That should at-least help in figuring out whether the certificate is properly configured or not. – A_C Oct 18 '18 at 13:41
  • I did exactly that. Downloaded certificate from browser, only to realize team exposing this websocket topic on server side is providing "test" certificates. So using that for now and added entries in /etc/host. Again! thanks for the help...Much appreciated. – Prashanth G Oct 18 '18 at 13:44
  • What do you mean exactly by test certificate? Is it not having the right configuration? – A_C Oct 18 '18 at 13:46
  • Certificate generated by team to connect to all of their test env. Instead of generating it on our end shipped out :) – Prashanth G Oct 18 '18 at 13:51
  • Yes for now. But i believe it will comeback later on when we try to connect more than one server for updates. Having said that it also needs server certificate to be different per server. Thank you!!! – Prashanth G Oct 18 '18 at 13:56
  • Glad to hear! I have updated the answer with details. If the answer helped you, you may vote it, or close the question by accepting the answer. https://stackoverflow.com/help/someone-answers . Good luck! – A_C Oct 18 '18 at 14:07
  • Done. Thanks for the help. – Prashanth G Oct 18 '18 at 14:56