'Jersey + Weblogic - javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE
I am sitting second whole day on a problem and giving up. I have written a jersey client which works on Jetty, and doesnt work on Weblogic. The reason is propably hidden in certificate: CN = "*.somecompany.com". Weblogic doesnt like wildcards in CN. Does anybody has working solution for that ?
I added these to Weblogic start params, but Weblogic uses many other clients, so I dont want to add these parameter: ignoreHostnameVerification: -
-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.enforceConstraints=off
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
-Dweblogic.security.SSL.allowSmallRSAExponent=true
-Dweblogic.security.SSL.ignoreHostnameVerification=true
I also accessed a REST service using webbrowser and downloaded certificate to disk an then added it to truststore using keytool.. It still doesnt work.
The only and best way would be to write something custom that validate hostname?? Maybe this wildcard is a problem.. But I am newbie, no idea how to write it, a working example would be greatly appreciated, I won't be able to do it myself :/
Below are exceptions that I found (not sure which were present and when but it is still not working) I was trying to fix it by:
1) Importing whole certificate chain to truststore (Java and Weblogic truststores)
2) Adding starting parameters to Weblogic, but it is not a good solution
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLKeyException: FATAL
Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
com.sun.jersey.api.client.ClientHandlerException:
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt
or unuseable certificate was received.
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHa ndler.java:131)
at com.sun.jersey.api.client.Client.handle(Client.java:629)
at
com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
at
com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at
com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:507)
at
SECOND
with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:702)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:962)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129)
at com.sun.jersey.api.client.Client.handle(Client.java:629)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:507)
at
THIRD
E7C0E2529308F> <> <1387573464164> <BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: Could not set value for ASN.1 string object.
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:62)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:320)
at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:334)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:566)
at weblogic.net.http.HttpsURLConnection.getHttpClient(HttpsURLConnection.java:339)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:408)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:702)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:962)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129)
at com.sun.jersey.api.client.Client.handle(Client.java:629)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:507)
at
Solution 1:[1]
try to add the site certificate to you weblogic truststore and then add the below param in your weblogic startup
-DUseSunHttpHandler=true
-Dssl.SocketFactory.provider=sun.security.ssl.SSLSocketFactoryImpl
-Dssl.ServerSocketFactory.provider=sun.security.ssl.SSLSocketFactoryImpl
i have a problem like yours and by this post i solve it Cannot access HTTPS from Weblogic
Solution 2:[2]
Issue fixed by adding these entry in JVM arguments
"-Dweblogic.security.SSL.nojce=true"
"-Dweblogic.ssl.JSSEEnabled=true"
"-Dweblogic.security.SSL.enableJSSE=true"
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Community |
Solution 2 | Andrei Sfat |