1

I'm using Netty for asynchronous http(s) requests. When the url for the request is https I'm adding this to the pipeline:

SSLEngine engine = SecureChatSslContextFactory.getClientContext().createSSLEngine();
engine.setUseClientMode(true);

pipeline.addLast("ssl", new SslHandler(engine));

This works well, I get the response back and everything, but a warning is being written to the output saying: UNKNOWN SERVER CERTIFICATE, for example if I issue a request for: https://www.google.com this is what I get:

UNKNOWN SERVER CERTIFICATE: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US

Since everything is still working it's not that much of an issue for me, but there are two things I would like to know:

  1. Why do I get that warning? googles' certificate is a "well known" one, the browsers don't seem to warn about it. Should I somehow tell the ssl engine where to look for the certificates?

  2. Can I somehow catch this warning at runtime instead of having this message printed out?

Thanks.

Nitzan Tomer
  • 155,636
  • 47
  • 315
  • 299

2 Answers2

1

Check to make sure that the "trust store" is correctly identified to Netty when you do this, you may have to look at adding ${JAVA_HOME}/jre/lib/security/cacerts as a trusted store.

If that's not configured you probably won't be able to connect over SSL

Dave G
  • 9,639
  • 36
  • 41
  • Looks like I'll need to implement *TrustManagerFactorySpi* and *TrustManager* since the ones provided by the *SecureChat* examples are "bogus". It accepts any certificate and prints the warning without checking. I'll stick to this for now and will get back to it later. – Nitzan Tomer Mar 17 '12 at 15:16
  • Can you subclass and override the method printing the warning just copying the code sans warning? – Dave G Mar 17 '12 at 15:35
  • Yes, it's printed in their implementation of *X509TrustManager*, which I can implement myself, I just don't have a clue on how to do that, and I think that I'll just dive into it later. – Nitzan Tomer Mar 17 '12 at 15:38
1

Dave,

Take a look at the code sample in this thread: Set up Netty with 2-way SSL Handsake (client and server certificate)

I think that will help you with your keystore and truststore setup.

Community
  • 1
  • 1
MeowCode
  • 1,053
  • 2
  • 12
  • 29