0

Since all the certs from websites are signed by Root CA's and such, and I am writing a client, not a server, how would I create an SSLEngine that can connect to them all? or do I have to download certs and such to connect? (I am hoping that jdk has all the same info as the browsers regarding certs and such so doing this should be easy although I am having trouble with my google skills in finding it since most links are servers).

EDIT: For more clarity, I have client code like so that works with a self-signed cert. Currently, I downloaded the cert from the website I wanted through chrome clicking on the lock. I then imported that into my keystore but it's still not working...

private SSLEngine createEngine() {
    try {

        InputStream in = this.getClass().getResourceAsStream("/prodKeyStore.jks");

        //char[] passphrase = password.toCharArray();
        // First initialize the key and trust material.
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(in, "lP9Ow1uYXZr9zgt6".toCharArray());
        SSLContext sslContext = SSLContext.getInstance("TLS");

        //****************Client side specific*********************
        // TrustManager's decide whether to allow connections.
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(ks);
        sslContext.init(null, tmf.getTrustManagers(), null);        
        //****************Client side specific*********************

        SSLEngine engine = sslContext.createSSLEngine();
        engine.setUseClientMode(true);
        return engine;
    } catch(Exception e) {
        throw new RuntimeException("Could not create SSLEngine", e);
    }
}

Next, I am going to try to figure out how to turn debug on for ssl exchange and see if that helps any. Currently, I am at a loss as to why this is not working.

OUCH, debug logs point to this

javax.net.ssl|DEBUG|21|httpclient2|2020-02-18 08:13:05.095 MST|CertificateMessage.java:358|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
   "version"            : "v3",
   "serial number"      : "00 90 76 89 18 E9 33 93 A0",
   "signature algorithm": "SHA256withRSA",
   "issuer"             : "CN=invalid2.invalid, OU="No SNI provided; please fix your client."",
   "not before"         : "2014-12-31 17:00:00.000 MST",
   "not  after"         : "2029-12-31 17:00:00.000 MST",
   "subject"            : "CN=invalid2.invalid, OU="No SNI provided; please fix your client."",
   "subject public key" : "RSA",
   "extensions"         : [

so something is screwing things up bigtime but not sure what yet. This is jdk8. Not sure how to fix this yet.

thanks, Dean

Dean Hiller
  • 19,235
  • 25
  • 129
  • 212
  • You'd need some kind of root CA store, eg. [Mozilla CA Certificate Store](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/)... this then can be used to validate further certificates (since it will be known who to ask). – Martin Zeitler Feb 17 '20 at 20:27
  • and then what? How do I do it for a single site as well if all I know is the URL? I mean, I can click the 'lock' icon and download that sites cert but then what? – Dean Hiller Feb 17 '20 at 20:29
  • Unless knowing the root authority, one cannot check if the certificate is valid or if it may have been forged or revoked. Here's an [example](https://gist.github.com/genaromadrid/9075d315e949fb4b3760db5c36c9a8ca) of how that works with `openssl`. When maintaining an own certificate store, one can also add custom exclusions, just alike one would do it in a browser (but one does not require any browser to obtain whatever public certificate). Research "PKI". – Martin Zeitler Feb 17 '20 at 20:33
  • See [javax.net.ssl.SSLEngine](https://stackoverflow.com/search?q=javax.net.ssl.SSLEngine); and this [answer](https://stackoverflow.com/a/9589752/549372) shows how to define the key/trust stores. – Martin Zeitler Feb 17 '20 at 20:46
  • I added code for my current SSLEngine for clarity @MartinZeitler. I am just unclear on how to create a keystore next from any specific website and then later for all websites hopefully(or most). – Dean Hiller Feb 17 '20 at 21:56

1 Answers1

0

It turned out there is one line wrong and it has to be this

SSLEngine engine = sslContext.createSSLEngine(host, port);

and then it all works!

Dean Hiller
  • 19,235
  • 25
  • 129
  • 212