I am trying to make a Java application which uses jdbc (Connector/J) to connect to a mariadb database using SSL encryption.
I already created a self signed certificate a configured the server to use it.
When I try to connect I get an exception because the certificate isn't trusted because it was self signed and not added to the Java trust store.
Because I want to modify the TrustStore or use a different one for my application I searched for a way to tell only jdbc which cert is trusted, and found "https://mariadb.com/kb/en/library/using-tlsssl-with-mariadb-connectorj/ Provide Certificate directly"
When I now try to connect with:
DriverManager.getConnection("jdbc:mysql://<hostname>:3306/<database>?useSSL=true&requireSSL=true&serverSslCert=/tmp/ssl/server-cert.pem", "<username>", "<password>");
I get this exception which I already got before not using the serverSslCert parameter again:
Exception in thread "main"
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 136 milliseconds ago. The last packet sent successfully to the server was 129 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:990)
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:203)
at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4901)
at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1659)
at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1226)
at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2188)
at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2219)
at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2014)
at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:776)
at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:386)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
at gymcash.server.mysql.DriverWrapper.connect(DriverWrapper.java:22)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at gymcash.server.mysql.MySQL.connect(MySQL.java:48)
at gymcash.server.mysql.MySQL.connect(MySQL.java:52)
at gymcash.server.main.Main.main(Main.java:25)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:188)
... 21 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at com.mysql.jdbc.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:304)
at
sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:992)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 29 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:154)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at com.mysql.jdbc.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:297)
... 31 more
I don't understand what I am doing wrong because the file exists, the path is absolute, and is the same used by the server. Can someone please tell me what I am doing wrong?
I am using Java 8, mysql-connector-java-5.1.45
There are a few ways to do this. One put your self signed cert or the certificate authority you used to sign your cert into the default java key store used by the JVM you are using to connect with. You need to use the Keytool to do that. But unless your managing an enterprise VM package you probably dont want to hijack the default keystore in the security package.
First you need to understand how the key tool works.
[Java Key tool commands][1]https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
The problem is you may not have access to the default key store and it may not accept the certificate format your using. Requiring some gym work converting certificates and trying to match supported crypto algos.
Generally unless your managing an enterprise its better to just
generate a new keystore file
import your cert into this keystore ( or the certificate chain )
make sure you mark it as trusted
pass the keystore to your program at run time using the -D option.
I usually just add this to my code and set the properties before connecting to the DB
if (DB_SSL || SSL) {
System.setProperty("javax.net.ssl.keyStore", KEYSTORE);
System.setProperty("javax.net.ssl.keyStorePassword", KEYSTORE_PASS);
System.setProperty("javax.net.ssl.trustStore", KEYSTORE);
System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASS);
if (DEBUG_OPTION) {
System.setProperty("javax.net.debug", "true");
}
}
private static String KEYSTORE = "/home/me/.keystore";
private static String KEYSTORE_PASS = "changeit";
Related
I am working on integrating my application with Apache Kafka. While everything works as expected while connecting to test brokers.
I have hit a blocker with 2-way SSL in preprod environment. My application is deployed in Websphere Application server and the certs/keys are maintained in a Websphere keyring. Issue is Kafka producer configuration is unable to interact with the keyring to find the trusted certs or the key and hence the connectivity is failing.
I can't use JKS files since that will defeat the purpose of the keyring and is against the application design. The whole problem appears to be the interaction of Kafka client code with keyring, during application startup. Any suggestion on this is appreciated.
org.apache.kafka.common.network.Selector) - [Producer clientId= xxxxxxx] Connection with disconnected due to authentication exception
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.bb.B(bb.java:525)
at com.ibm.jsse2.oc.b(oc.java:394)
at com.ibm.jsse2.oc.c(oc.java:146)
at com.ibm.jsse2.oc.wrap(oc.java:316)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:39)
at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:434)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:299)
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:253)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:79)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:486)
at org.apache.kafka.common.network.Selector.poll(Selector.java:424)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:460)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
at java.lang.Thread.run(Thread.java:798)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.k.a(k.java:5)
at com.ibm.jsse2.oc.a(oc.java:170)
at com.ibm.jsse2.bb.a(bb.java:560)
at com.ibm.jsse2.bb.a(bb.java:432)
at com.ibm.jsse2.cb.a(cb.java:30)
at com.ibm.jsse2.cb.a(cb.java:394)
at com.ibm.jsse2.bb.t(bb.java:170)
at com.ibm.jsse2.bb$1.a(bb$1.java:4)
at com.ibm.jsse2.bb$1.run(bb$1.java:2)
at java.security.AccessController.doPrivileged(AccessController.java:492)
at com.ibm.jsse2.bb$c_.run(bb$c_.java:11)
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:388)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:468)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:326)
... 8 more
Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.f.a(f.java:70)
at com.ibm.jsse2.util.f.b(f.java:95)
at com.ibm.jsse2.util.e.a(e.java:20)
at com.ibm.jsse2.zc.a(zc.java:35)
at com.ibm.jsse2.zc.a(zc.java:156)
at com.ibm.jsse2.zc.checkServerTrusted(zc.java:125)
at com.ibm.jsse2.cb.a(cb.java:302)
... 17 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:410)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:256)
at com.ibm.jsse2.util.f.a(f.java:144)
... 23 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxxxxxxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:176)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker
I'm not sure if this is going to work but you can try this:
extract the certificate and key from Keyring before you start up the producer;
save them in *.jks files somewhere in your machine;
pass the path of your newly created Keystore and Truststore to your
Kafka producer
Unfortunately, Java Kafka Clients can only interact with *.jks files so a proper conversion needs to be done before start-up. Another option would be to do the same thing but at a pre-deployment phase ( before starting up your application, you prepare the Keystore and Truststore ).
I know I'm a bit late to the party but I was looking for a solution to this issue as well and found a way to provide a Kafka Producer with WAS SSL configuration data. The idea came from the following IBM documentation that explains how to use the com.ibm.websphere.ssl.JSSEHelper to obtain information specified in an WAS managed SSL Configuration: https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api
The following would work to provide SSL configuration data to your Kafka Producer/Consumer properties:
com.ibm.websphere.ssl.JSSEHelper jsseHelper = JSSEHelper.getInstance();
Properties sslProperties = jsseHelper.getProperties("<your_ssl_conf_alias>")
consumerProperties.put(org.apache.kafka.common.config.SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG,sslProperties.getProperty("com.ibm.ssl.trustStore"));
You can use an existing alias or create a new one in the WAS console under:
SSL certificate and key management > SSL configurations
I'm facing issue connecting to LDAPS from my application. I have imported all necessary certificates on JRE keystore.
I'm able to make calls to LDAPs when I put the following string in java.security
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
When I change this line to
jdk.tls.disabledAlgorithms=MD5, DSA, DESede, DES_CBC, DHE, RC4, SSLv3, ECDH_anon, DH_anon, NULL, DH keySize < 768, RSA keySize < 2048
my connection fails with following error:
Caused by: javax.naming.CommunicationException: simple bind failed: testxxxxl.xxxx.com:636 [Root exception is java.net.SocketException: Socket closed]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:122)
... 72 more
Caused by: java.net.SocketException: Socket closed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
at sun.security.ssl.InputRecord.read(InputRecord.java:480)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
In wireshark it complains about certificate invalid.My question is if my certificate is invalid, it shouldn't be working with this line as well.
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
Please help me to solve the issue.
If you use a secure connection to the LDAP server and you see an error like the following when trying to connect to Active Directory:
simple bind failed: ad.hostname.com:636
Import the LDAP server public certificate directly into the Klocwork keystore (which should be_jvm\lib\security\cacerts).
This causes the certificate validation process at the Klocwork end to be bypassed, since you have decided to trust the LDAP server certificate by importing it into your list of trusted certificates.
Ask your LDAP administrator to set this extension of your LDAP server certificate to non-critical.
In recent versions of Java the TLSv1 has been disabled.
In my case this happened when upgrading from Java 8 to Java 11.
Re-enabling TLSv1 helped. It is as easy as defining property:
-Djdk.tls.client.protocols=TLSv1
Of course you can need also other protocols, so you can specify full list:
-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
My java application was able to connect to the third party application using https SSL connection when the endpoint URL had IP address in it.
Now, when the IP address got changed to Hostname, I am getting “SSL handshake exception” .
Apart from this there were no code update or any other changes done.
Only change what was done is that the thiry party is using Hostname in the Endpoint URL , instead of IP address.
Earlier URL: https://10.0.0.1:5368/invoke/Upload.Accept/receiveReply
Present URL: https://service.serviceprovider.com:5368/invoke/Upload.Accept/receiveReply
Any ideas what is causing this and how to fix it?
Please let me know if any more details is required.
Below is the stacktrace of the error:
javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.DHCrypt.getAgreedSecret(DHCrypt.java:219)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1056)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at com.etsalat.adapter.sadad.PaymentLoadAdapter.run(PaymentLoadAdapter.java:130)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.NoSuchAlgorithmException: TlsPremasterSecret SecretKeyFactory not available
at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122)
at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
at iaik.security.dh.DHKeyAgreement.engineGenerateSecret(Unknown Source)
at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:648)
at sun.security.ssl.DHCrypt.getAgreedSecret(DHCrypt.java:217)
I had the same issue before.
The exception: "SecretKeyFactory not available" happens if the digital signature API you are using is not added to Java SDK your application use.
To add the API to Java SDK:
1. Navigate to the lib-signed folder and then copy API jar file (for example: iaik_jce.jar) to /jre/lib/ext.
2. Navigate to /jre/lib/security and then add the following to java.security
security.provider.10=iaik.security.provider.IAIK
Note: If the number '10' is being used by another entry, use the next available number.
for more information refer to: http://docs.oracle.com/cd/E61144_01/English/Install_and_Config/Automatic_Install_and_Config/helpmain.htm?toc.htm?89631.htm
I'm using the ClientRequest library to perform a 'GET' request however I'm running into a certificate error:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_40]
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) [resteasy-jaxrs-2.3.6.Final-redhat-1.jar:2.3.6.Final-redhat-1]
Since this is just a test environment, I want to be able to ignore or accept all certificates over https. (I know this defeats the purpose of ssl.) Any pointers in the right direction is much appreciated!
ClientRequest request = new ClientRequest(someURL.toString());
ClientResponse<SomeClass> response = null;
response = request.get(SomeClass.class);
response.getEntity();
Since you're using Apache HTTP Client, with a certificate that's not trusted by default, this exception has the same cause as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed" in most other uses of SSLSocket (see this answer for details): essentially, it's an indication that your certificate isn't trusted.
Instead of ignoring the error (by adding specific code to bypass any certificate validation, code you may forget about when you get closer to the release deadline), import your custom certificate in your truststore. For example, create a local copy of the cacerts file bundled with your JRE, use keytool to import your custom certificate, and point the javax.net.ssl.trustStore system property (and related properties) to that file when you start your JVM.
I need to be able to point JMeter at a test server which has an expired SSL certificate (it will be some time before we are able to renew it). JMeter is quite rightly throwing an exception when it tries to connect:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:284)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:62)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1075)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1064)
at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:426)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:255)
at java.lang.Thread.run(Unknown Source)
Does anybody know of any way that I can import said certificate into the keystore and in the process change the expiry date (and would this even help or would the fact that the server certificate has expired still cause this exception to be thrown)?
I've tried to set the validity as part of the import but this is ignored:
keytool -import ... -validity 100
P.S - I know I could implement my own TrustManager which ignores these checks but my fingers won't allow me to write such evil code and I'd much rather get to a solution that I can install on the server without having to modify JMeter!
Thanks for your time.
JMeter does not validate certificate so this is not the cause of your issue.
Which implementation do you use, java, HC3 or HC4 ?
Your issue could come from error in Socket version negotation.
Try setting this in user.properties:
https.socket.protocols=SSLv2Hello SSLv3 TLSv1
You may have to play with them depending on your server configuration, for example only set this:
https.socket.protocols=SSLv3