6 Replies Latest reply: Jul 11, 2012 3:49 AM by 948199 RSS

    SSLKeyException: RSA premaster secret error when running from comand line

    948199
      Welcome,
      I'm writing https client using apache htclient library 4.1. I have self signed certificate.
      It runs corect form my ide - STS Spring Tool Suite, but when run from command line(in bat file)

      call C:\Java\jdk\jdk1.6.0_32x64\bin\java -Djavax.net.debug=all -Dcom.sun.management.jmxremote -Djavax.net.ssl.trustStore=jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=../lib com.myapp.Main

      I get:

      pool-1-thread-2, handling exception: javax.net.ssl.SSLKeyException: RSA premaster secret error
      pool-1-thread-2, SEND TLSv1 ALERT: fatal, description = unexpected_message
      pool-1-thread-2, WRITE: TLSv1 Alert, length = 2
      [Raw write]: length = 7
      0000: 15 03 01 00 02 02 0A .......
      pool-1-thread-2, called closeSocket()
      pool-1-thread-2, IOException in getSession(): javax.net.ssl.SSLKeyException: RSA premaster secret error
      pool-1-thread-2, called close()
      pool-1-thread-2, called closeInternal(true)
      2012-07-09 14:09:53,053 pool-1-thread-2 [ERROR] - pool-1-thread-2 org.apache.commons.logging.Log -
      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
      ...

      Why it's working in sts?

      I put jars from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html to jre folder.
      I added certificate to trust store.
      I am working on Windows7 64


      Any help appreciated
      Regards
        • 1. Re: SSLKeyException: RSA premaster secret error when running from comand line
          handat
          It won't find jssecacerts unless it is in the same directory as where you are running the command from.
          Try specifying the full path to your jssecacerts file.
          • 2. Re: SSLKeyException: RSA premaster secret error when running from comand line
            EJP
            -Djava.ext.dirs=../lib
            What's in there?
            I added certificate to trust store.
            You added the exported server certificate to the truststore?
            • 3. Re: SSLKeyException: RSA premaster secret error when running from comand line
              948199
              I changed my bat script now it's look like this:

              call java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=C:\Java\workspace\myapp-java\target\classes\jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=../lib com.myapp.Main

              and nothing change.
              I do one more test and set bad path to jssecacerts for example: C:\Javaaaaaaaaa\workspace\myapp-java\target\classes\jssecacerts
              and then I have different error:

              pool-1-thread-2, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
              pool-1-thread-2, SEND TLSv1 ALERT: fatal, description = internal_error
              pool-1-thread-2, WRITE: TLSv1 Alert, length = 2
              [Raw write]: length = 7
              0000: 15 03 01 00 02 02 50 ......P
              pool-1-thread-2, called closeSocket()
              pool-1-thread-2, IOException in getSession(): javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
              pool-1-thread-2, called close()
              pool-1-thread-2, called closeInternal(true)
              2012-07-11 09:09:25,972 pool-1-thread-2 [ERROR] - pool-1-thread-2 org.apache.commons.logging.Log - Exception happend waiting 5000 milisecond
              javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

              So I think that it is finding trustore in first time.
              • 4. Re: SSLKeyException: RSA premaster secret error when running from comand line
                948199
                EJP wrote:
                -Djava.ext.dirs=../lib
                What's in there?
                Copied maven dependency libraries:

                com.springsource.org.aopalliance-1.0.0.jar
                commons-codec-1.4.jar
                commons-collections-2.1.jar
                commons-dbcp-1.2.1.jar
                commons-logging-1.1.1.jar
                commons-pool-1.2.jar
                httpclient-4.1.jar
                httpcore-4.1.jar
                jdom-1.1.jar
                junit-3.8.1.jar
                log4j-1.2.16.jar
                mysql-connector-java-5.1.9.jar
                org.springframework.aop-3.0.5.RELEASE.jar
                org.springframework.asm-3.0.5.RELEASE.jar
                org.springframework.beans-3.0.5.RELEASE.jar
                org.springframework.context-3.0.5.RELEASE.jar
                org.springframework.core-3.0.5.RELEASE.jar
                org.springframework.expression-3.0.5.RELEASE.jar
                org.springframework.jdbc-3.0.5.RELEASE.jar
                org.springframework.transaction-3.0.5.RELEASE.jar
                spring-asm-3.0.5.RELEASE.jar
                spring-core-3.0.5.RELEASE.jar
                xercesImpl-2.0.2.jar
                xml-apis-1.0.b2.jar

                I added certificate to trust store.
                You added the exported server certificate to the truststore?
                I use program InstallCert to add certificate
                http://blog.danielpecos.com/wp-content/uploads/2010/12/InstallCert.zip

                from command line:
                java InstalCert host:443

                And on alias 192.168.1.2-1 it is adding entry

                And when i run
                c:\Java\workspace\myapp-java\target\classes>keytool -list -keystore jssecacerts
                On the list I can see:
                192.168.1.2-1, 2012-07-09, trustedCertEntry,
                Certificate fingerprint (MD5): F3:55:51:D8:03:6B:C1:B4:68:DD:B4:60:CA:5C:1B:45
                • 5. Re: SSLKeyException: RSA premaster secret error when running from comand line
                  EJP
                  java.ext.dirs is for approved Java extensions. JAR files should in general go in your own classpath, and java.ext.dirs is not intended as a shortcut for that. The only JARs in that list that might qualify are xercesImpl-2.0.2.jar
                  xml-apis-1.0.b2.jar, and they are both extremely out of date. Xerces.jar is up to 2.9.1, and xml-apis.jar is up to 1.3.04 at least. The ones already supplied in the JDK is far newer than the ones you are using.
                  • 6. Re: SSLKeyException: RSA premaster secret error when running from comand line
                    948199
                    EJP wrote:
                    java.ext.dirs is for approved Java extensions. JAR files should in general go in your own classpath, and java.ext.dirs is not intended as a shortcut for that. The only JARs in that list that might qualify are xercesImpl-2.0.2.jar
                    xml-apis-1.0.b2.jar, and they are both extremely out of date. Xerces.jar is up to 2.9.1, and xml-apis.jar is up to 1.3.04 at least. The ones already supplied in the JDK is far newer than the ones you are using.
                    This old jars where from commons-dbcp-1.2.1.jar. I changed to 1.4 and they gone from my lib folder - thanks for tip.
                    But that did not change anything.

                    With you advice I changed my script to avoid using -Djava.ext.dirs

                    And it is working :-) now corectly :-)

                    So my problem is solved.

                    Thanks for help


                    My script:

                    set MYCLASSPATH=.
                    set MYCLASSPATH=%MYCLASSPATH1%;../lib/*

                    call java -Djavax.net.ssl.trustStore=jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -cp %MYCLASSPATH% com.myapp.Main