tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ert <...@alum.mit.edu>
Subject Debugging outbound SSL communications?
Date Fri, 05 Sep 2003 16:10:39 GMT
I'm using a poorly-supported external service that interacts over SSL.   
I can connect fine to their production environment, but their developer  
environment apparently uses a less-well-known certifying authority, and  
when I try to use it I am thwarted:

> javax.net.ssl.SSLException: Connection has been shutdown:  
> javax.net.ssl.SSLHandshakeException:  
> java.security.cert.CertificateException: Could not find trusted  
> certificate
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
> 	at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
> 	at  
> sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
> 	at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
> 	at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
> 	at java.io.InputStreamReader.read(InputStreamReader.java:167)

The vendor informs me that I merely need to add the appropriate key:

> The Equifax Key is not in Java by default. You need to add it.   
> Example:
>
> 1) cd $JAVA_HOME/jre/lib/security/cacerts
>
> 2) copy the GeoTrust root from here:
>      
> http://www.geotrust.com/resources/roots/ 
> Equifax_Secure_Certificate_Authority.cer
> to the file geotrustroot.cer in this directory
>
> 3) Run this command:
> keytool -import -trustcacerts -alias geotrustroot -keystore cacerts  
> -file geotrustroot.cer -storepass changeit

I've imported this key to every keystore I can find or think of on my  
Mac OS X system (keytool's default one,  
/Library/Java/Home/lib/security/cacerts, ~/.keystore, ~root/.keystore)  
and I continue to get the same error.

So now I'm trying to figure out if a default Tomcat 4.1.24 install uses  
its own keystore.  If not I'm hoping to find some way I can figure out  
what key the SSL connection is being presented with, and what keystore  
it's attempting to find a matching key in.  I don't know if I just have  
the wrong certificate, or if I've put it in the wrong place.

Any thoughts from the gallery?

- Ert

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message