[JDEV] Java JabberBeans and SSL certificates

Jason Anderson jason at guanosoft.org
Wed Aug 7 15:58:39 CDT 2002


Emma,

I believe "could not find trusted certificate" means that the server 
you're connecting to has a self-signed certificate, and not a 
certificate from a trusted signing authority.

To get a certificate from a trusted authority, you have to pay money. 
Even with all the precautions a trusted authority takes to provide true 
verification, you still don't know for sure a host is who it says it is, 
because there are ways to spoof and steal connections and certificates. 
  Many organizations realize this and will not spend the money on a 
"trusted" certificate, thus your secure connection attempt fails, 
because it can't verify the certificate with the known trusted 
authorities.  This doesn't mean there is a breach of security, though.

The solution in Java is to create a custom SSLSocketFactory with a 
modified TrustManager.  You will write your trust manager to say, "we 
trust all server certificates," and the connection will be started 
instead of aborted.  It gets a little messy, so in summary: create a 
custom TrustManager, create a new SSLContext and initialize it with the 
TrustManager, use the SSLContext to create a new SSLSocketFactory.

Unfortunately, this has not been added to JabberBeans yet, but I am 
hoping to add it at some point.  For now, I use my own connection class 
in my client, not ConnectionBean.  You can insert the following code 
into the connect() methods of ConnectionBeanSSL in place of the 
SSLSocketFactory.getDefault() calls.

         com.sun.net.ssl.TrustManager trustManager =
             new com.sun.net.ssl.X509TrustManager() {
                 public java.security.cert.X509Certificate[]
                         getAcceptedIssuers() {
                     return null;
                 }
                 public boolean isClientTrusted(
                         java.security.cert.X509Certificate[] cert) {
                     return true;
                 }
                 public boolean isServerTrusted(
                         java.security.cert.X509Certificate[] cert) {
                     return true;
                 }
             };

         javax.net.ssl.SSLSocketFactory factory = null;
         try {
             com.sun.net.ssl.SSLContext context =
                 com.sun.net.ssl.SSLContext.getInstance("SSL");

             context.init(null, new 
com.sun.net.ssl.TrustManager[]{trustManager},
                 null);

             factory = context.getSocketFactory();

         } catch (java.security.NoSuchAlgorithmException e) {
             System.out.println("[ConnectionBeanSSL.connect] Error 
starting ssl: "
                 + e.toString());
         } catch (java.security.KeyManagementException e) {
             System.out.println("[ConnectionBeanSSL.connect] Error 
starting ssl: "
                 + e.toString());
         }

Hope that helps.  Good luck!

jason


emma.willis at ntlworld.com wrote:
> Ok, I have managed to integrate this new class into my client code this morning.  I am testing it at amessage.de but I keep getting the SSLHandshakeException saying that it could not find a trusted certificate.
> 
> I don't really understand if that is my problem, or the server's problem.  Please can someone explain???
> 
> Emma
> ...........................................
> 
> Emma,
>     If you want to do this in the easiest way possible, I would suggest using jabberbeans from CVS. The current maintainer has added a class called ConnectionBeanSSL to Jabberbeans which works exactly like the ConnectionBean you are used to. Sadly, the maintainer has not made a .jar release of the recent CVS changes, so you have to checkout and rebuild jabberbeans.jar to use it. Jabberbeans uses an Ant script to create the jar, so once you check it out, please look up ant on google if you havent used it before.
>     Jason Anderson and I are in the process of reviving the project now so that new .jars with Jean-Louis's changes as well as the ones I just mentioned are easily available, as well as new documenation. I will keep JDEV posted when we make some progess in this regard.
> 
>     Dalton Caldwell
> 
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> .
> 





More information about the JDev mailing list