• Sign In
  1. Messages

SSL error

LabKey Support Forum (Inactive)

View Message

view list print
SSL error arne.mueller  2011-02-03 09:13
Status: Closed
 
Dear All,

I'm brand new to labkey and this list ... and already ran into problems ;-(

We've a labkey server on-site and I'd like to connect to it using the java api. The problem is that it's an SSL connection, and the certificate seems expired. I can connect with a browser (though I've to accept an exception for the connection), but using the java API I get the following exception:


Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 22 14:50:15 CEST 2010
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
    at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
    at org.labkey.remoteapi.Connection.executeMethod(Connection.java:271)
    at org.labkey.remoteapi.Command.execute(Command.java:216)
    at com.novartis.pcs.labkey.ConnectionTest.main(ConnectionTest.java:28)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 22 14:50:15 CEST 2010
    at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
    at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
    at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:543)
    at org.apache.commons.httpclient.contrib.ssl.EasyX509TrustManager.checkServerTrusted(EasyX509TrustManager.java:102)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198)
    ... 20 more

I've setAcceptSelfSignedCerts(true), but it still won't work. Any hints?

    thanks a lot for your help,

   arne
 
 
Brian Connolly responded:  2011-02-03 10:21
Arne,

From the stack trace that you posted it looks like the server's SSL certificate is expired. See

  " Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 22 14:50:15 CEST 2010 "


You will need to have the administrator of your LabKey server renew or create a new SSL certificate for the server.

If your administrator needs any assistance in renew/creating the SSL certificate, just send me information about your LabKey server (Apache Tomcat version and operating system) and I can send you documentation and answer any questions.


Brian
 
jeckels responded:  2011-02-03 11:03
Hi Arne,

As you and Brian noted, the web server seems to have an expired certificate. When it's trying to establish a secure connection, the Java code won't use any exceptions that you've made in your web browser.

If it's not practical to replace the expired certificate and you want to accept any certificate that the web server presents, you'll need to make Java use a different X509TrustManager.

Here are the basic steps that I think would be required:

1. Create a new class called AcceptAllCertsProtocolSocketFactory, based on org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory. Its source is included in the LabKey Java API source code.
2. Create a new class called AcceptAllCertsTrustManager that implements javax.net.ssl.X509TrustManager and has the following methods:

                        public java.security.cert.X509Certificate[] getAcceptedIssuers()
                        {
                            return new java.security.cert.X509Certificate[0];
                        }

                        public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String string)
                        {}

                        public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String string)
                        {}

3. Modify AcceptAllCertsProtocolSocketFactory to use AcceptAllCertsTrustManager instead of EasyX509TrustManager.
4. Create your org.labkey.remoteapi.Connection.
5. Call setAcceptSelfSignedCerts(false) on it to unregister the SSL configuration that it has done by default.
6. Call org.apache.commons.httpclient.protocol.Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory)(new AcceptAllCertsProtocolSocketFactory ()), 443)); to make your code use your custom trust manager.

I haven't verified that this exact code works, but I've done the same thing in other scenarios. Note that this completely disables one of the big security benefits of SSL, so use it very cautiously.

Thanks,
Josh
 
dennisw responded:  2012-04-03 08:09
Title: Thanks: SSL error
Thanks Josh! That worked brilliantly the first time. i was having an issue connecting through the API to one of our non-web-visible servers with a wonky cert and this fixed it instantly.