There is a simple scan call going to dynamo from my code which works fine in Java 6 and not in Java 7. The amazon forums mention this problem and recommend disabling certificate verification, which seems risky to me. Does anyone know what changed between Java 6 & 7 to cause this issue?
3-Jul-2012 3:51:27 PM com.amazonaws.http.AmazonHttpClient executeHelper
WARNING: Unable to execute HTTP request: peer not authenticated
If it works with one JRE and not another, the problem is likely that you don't have the correct CA cert installed in your 1.7 JRE keystore. See this post for details:
http://welocally.com/?p=1358
You can also just connect to the http:// version of the Dynamo endpoint and so avoid ssl altogether (and get a nice performance boost as a result).
Related
My app is getting this error when accessing a HTTPS resource (using appengine-java-sdk-1.9.63):
javax.net.ssl.SSLHandshakeException: Could not verify SSL certificate for URL: https://some.where/
at com.google.appengine.api.urlfetch.URLFetchServiceImpl.convertApplicationException(URLFetchServiceImpl.java:175)
at com.google.appengine.api.urlfetch.URLFetchServiceImpl.fetch(URLFetchServiceImpl.java:45)
at com.google.apphosting.utils.security.urlfetch.URLFetchServiceStreamHandler$Connection.fetchResponse(URLFetchServiceStreamHandler.java:543)
at com.google.apphosting.utils.security.urlfetch.URLFetchServiceStreamHandler$Connection.getInputStream(URLFetchServiceStreamHandler.java:422)
at com.google.apphosting.utils.security.urlfetch.URLFetchServiceStreamHandler$Connection.getResponseCode(URLFetchServiceStreamHandler.java:275)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:656)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:629)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:261)
at org.jsoup.helper.HttpConnection.get(HttpConnection.java:250)
What can be done so GAE would not check of SSL since in my current purpose for the app, it does not care if it connects via HTTP or HTTPS, so in my case I just want to disable SSL check.
Update:
I am running the application from Windows (Linux does not throw the error above)
Already I have modifiied the dev_appserver.cmd like this:
java -Ddeployment.security.TLSv1.1=false -Ddeployment.security.TLSv1.2=false -cp "%~dp0\..\lib\appengine-tools-api.jar" ^
com.google.appengine.tools.KickStart ^
com.google.appengine.tools.development.DevAppServerMain %*
Also in the application itself this is set:
FetchOptions fetchOptions = FetchOptions.Builder.doNotValidateCertificate();
HTTPRequest request = new HTTPRequest(getUrl, HTTPMethod.GET, fetchOptions)
What could be wrong with Windows that it throws the error whereas in Linux there is no problem?
The solution that worked for this problem is to update the JDK of the machine. Then after upgrading from Java 7 to Java 8, the SSLHandshakeException is not being thrown anymore.
Thus, problem solved.
I am using Windows 10 version 1703,
Java version 8.131,
and I have experienced this certificate issue with Java app.I am always getting this error that website is not trusted and that certificate is not valid.
So I added that site that app is trying to access to Exception Site list. And I have also imported certificate from this website to the Java keystore. Still, I am experiencing same issue over and over again.
Certificate is issued by GoDaddy, and is still valid (not expired)
I've also tried to install jre 7u79 to lower security level but it cannot be installed on this version of Windows 10.
Print-screen error/certificate/security
Total hours spent on this issue so far ~5hours.
If someone has some tips, would be highly appreciated!
I have an SSL client certificate. It was working with my app up until one of the Java updates happened at some point in the recent past (maybe as far back as a year). It works with web browsers. It works with curl.
For example, I can do this and it is fine:
curl --cert example.pem https://example.net
Now I cannot get this cert to work with Java. I've gone as far as trying a very minimal app, like SSLPoke from https://gist.github.com/4ndrej/4547029
Putting the cert into the client certs from ControlPanel doesn't do it.
Importing the .pem into a keystore and then pointing at that keystore with -Djavax.net.ssl.trustStore or .keystore doesn't do it.
All I get out of Java is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
So I can't figure out what is wrong - the way I'm invoking Java? The place I'm putting the certificate? The way I've imported the certificate?
The debug output using -Djava.security.debug=all does not show it using the trustStore/keyStore I specify. It doesn't even show anything about the URL I'm trying to reach.
I'm out of ideas.
Your server is likely using an outdated SSL protocol, that Java is no longer allowing, by default, for security reasons.
Try running Java with this option (e.g. needed for older SQL Server instances):
-Djsse.enableCBCProtection=false
If that doesn't work, maybe the server is using SSLv3, so see this SO question for How to enable SSL 3 in Java.
If any of those work, they are workarounds need to downgrade the SSL security, so you are strongly encouraged to upgrade the server instead, and remove these workarounds again.
My java version is 1.6 and connect to a server over ssl using axis 2 stub; all used to work fine. It seems like they did some upgrade (apache2.4) and the ssl handshake doesn't happen anymore. I receive javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake error. Just for testing purpose, I locally installed jdk 8 and tested it works fine. Is there any way to make this work using jdk1.6? It is not possible to upgrade jdk now.
It is hard to tell without more details but I guess that the server either requires a TLS version unsupported by JDK 6 (e.g. TLS 1.1 or TLS 1.2) or uses ciphers which are not supported by JDK 6 yet. Another option might be that the server needs SNI (server name indication) which is not supported by JDK 6. If the problem is any of these things you are unfortunately out of luck with JDK 6.
I suggest you check with SSLLabs to get more details about the problem. They show also compatibility information regarding various JDK versions.
You could try using a 3rd party JCE provider, Bouncy Castle comes into mind:
https://www.bouncycastle.org
I have a webapp that sends a SOAP request to a 3rd party server. When the request is made on my local computer it works without a problem, but when I deploy my application to my server I get an error with the following causes:
com.sun.xml.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm check failed: MD2withRSA is disabled
I've searched around but I can't find anything relevant to my situation. It's probably worth noting that the request I'm making is to an https url. My computer is running Windows XP and the server is running Slackware Linux. Any ideas what might be causing the server to reject the request?
Check your Java versions on your local machine, and your server.
From here, it seems the jvm 6u17 disabled MD2 as it is insecure, and whatever you connect to is using MD2
MD2withRSA is highly vulnerable and therefore deactivated in Sun... aeh Oracle's JVM. You should ask the owner of the remote service, whether his server supports more secure encryption methods (I think, older Apache HTTPd versions do offer MD2withRSA by default...). In order to resolve this problem without forcing the provider to change the method, you may use your own implementation of the X509TrustManager that accepts the old method.
A Google search on "MD2withRSA" showed this URL as the first hit, that seems to point to a change in a certain Java version. Probably the verasiuons on your local computer and the server do not match.
Newer Java 7 (version 1.7) allows re-enabling MD2 via $JAVA_HOME/jre/lib/security/java.security file. Download and install Java 7 and modify java.security file in text editor as follows
1) Remove MD2 from following property
jdk.certpath.disabledAlgorithms= # MD2
2) Ensure following property is commented out
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
3) Restart java application
Warning: MD2 is disabled by default in Jdk 7 because it is insecure. However, it can be enabled as described above to support older deployments.