Common
Debugging Java SSL Connection Issues
22. April 2013
0

Testing SSL Connection

  1. download SSLPoke.class
  2. Start SSLPoke by invocing:
    java SSLPoke <host> <port>
  3. have a look at the error messages

 

Keystore Problems

You can test a connection using a self-defined keystore to see if there is anything wrong with it. If this is successfull, the error should be on jvm-configuration. There might be a wrong keystore configured. If you need your custom keystore, add the parameter to your jvm startup parameters.

java -Djavax.net.ssl.trustStore=/my/custom/keystore SSLPoke localhost 443

Trustchain Problems

To see what’s going on, you can have a look at the complete certificate chain given by the webserver:

openssl s_client -showcerts -connect <host>:<port>

A simple way to get certificates into a keystore

Get Keychain out of an url

The simplest way to get the whole certchain given by the webserver, is to use openssls connect method and write the output to a file.

openssl s_client -showcerts -connect <url>:443 >/tmp/cert.pem

Convert PEM to DER

Keytool likes to have a der encoded certificate, thus we have to convert it.

openssl x509 -outform der -in /tmp/cert.pem -out /tmp/cert.der

Import DER into Keystore

After converting the certificates, you only have to import them into the default java keystore using the default password “changeit”.

/usr/lib/jvm/java/bin/keytool -import -alias "certalias" -file /tmp/cert.der -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -noprompt

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.