SOAP SSL error when connecting in with java

rraver · ‎11-05-2008

Hi,

We are trying to make a simple application that makes requests to the CCM via the AXL SOAP interface to get personal address book information. When we do the request it errors out with a SSL handshake problem, I have pasted some of the exact error output below: Any help or ideas would be appreciated !!!

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_

failure

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Un

known Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Sou

rce)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Sou

rce)

at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect

(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown S

ource)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unk

nown Source)

Full logs attached, I have imported the CCM cert into the Java keystore and still no luck. The only way I can get this to work by testing is to have CCM in VM and web deployed on actual physical machine and that's only for a single user dev. environment.

Rob

stephan.steiner · ‎11-06-2008

By default, the ssl certificate from the ccm is untrusted - so you get a verification error. There are two ways to work around this.. one is importing the certificate to the trusted store (google it), the other is writing your code so that it automatically accepts untrusted certs.

For the latter, you could have a method like this (which I stole from the axlsql application)

:

public void init() throws InitializationException

{

X509TrustManager xtm = new MyTrustManager();

TrustManager[] mytm = { xtm };

SSLContext ctx;

try

{

ctx = SSLContext.getInstance("SSL");

ctx.init(null, mytm, null);

SSLSocketFactory sf = ctx.getSocketFactory();

HttpsURLConnection.setDefaultSSLSocketFactory(sf);

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()

{

public boolean verify(String hostname, SSLSession session)

{

return true;

}

);

}

catch (NoSuchAlgorithmException ex)

{

throw new InitializationException("SSL Algorithm not found: " + ex.getMessage());

}

catch (KeyManagementException ex)

{

throw new InitializationException("Key management exception: " + ex.getMessage());

}

rraver · ‎11-06-2008

When looking at the keystore today I noticed the path for the CCM cert was wrong creating a unique keystore. When adding the CCM cert to the \lib\security\cacerts keystore so it's trusted it worked. I listed the keystore to verify that its there, I still get an error although the logs seem to spit out more. Any ideas?

Please see fulllogs2 attached for logs

stephan.steiner · ‎11-07-2008

I'm afraid I never actually did keystore imports (had for ssl ldap but never for https).. but unless you have a pressing concern why you only want your software to work if the cert has been imported (can't really imagine there could be.. in the end you either decide to trust the ccm or not.. and whether you do that by configuring address&credentials or the same plus importing the cert that seems mostly semantics to me), I can only recommend that you try my approach - it gives you ssl support without all the certificate hassle.

Sascha Monteiro · ‎11-10-2008

are you sure tomcat/spring is using the correct keystore file?

Try to force it to use a specific file, i.e.

System.setProperty("javax.net.ssl.keyStore", "c:\mykeystore");

and some example code could be useful too