6 Replies Latest reply: Nov 24, 2012 8:41 AM by Valery_Cherepanov RSS

    SSL issue  - error message certificate chain not properly signed

    716133
      Hi,

      I have a ssl problem where my application is hosted on weblogic 9.2 and a webservice client program within it is trying to access a webservice hosted some place

      else over ssl.

      error
      Detail *<detail>javax.net.ssl.SSLKeyException: *Security:090478]Certificate chain received from www.----------.com - <ip----> was not signed properly causing

      SSL handshake failure.
      </detail>]; nested exception is:
      javax.xml.rpc.soap.SOAPFaultException: Failed to receive message javax.net.ssl.SSLKeyException:

      ---- A detail log is pasted at the end----------------------


      As per instructions, I exported the certificate chain using IE from target site ( 3 files in a chain)

      and verified using openssl and utils.validateCertChain both of which said OK.
      However I still get the error when running the client using weblogic.

      with debug.ssl=true I could see /software/bea/wls/9.2mp3/jdk150_12/jre/lib/security/cacerts is being loaded.

      openssl command I used was
      openssl verify -purpose sslclient -CAfile Class3PublicPrimary.cer.txt -untrusted Class3PublicSecure.cer.txt targetwebsite.cer.txt
      which returned OK

      Do I need to do some import into truststore ?? Let me know what and how.

      weblogic log++++++++++++++++++++++++++++++++++++++++++++

      <Aug 6, 2009 6:53:13 PM BST> <Info> <WebLogicServer> <BEA-000307> <Exportable key maximum lifespan set to 500 uses.>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Filtering JSSE SSLSocket>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <SSLIOContextTable.addContext(ctx): 42230359>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <SSLSocket will be Muxing>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <write SSL_20_RECORD>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <isMuxerActivated: false>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <42230033 SSL3/TLS MAC>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <42230033 received HANDSHAKE>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <HANDSHAKEMESSAGE: ServerHello>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <isMuxerActivated: false>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <42230033 SSL3/TLS MAC>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <42230033 received HANDSHAKE>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <HANDSHAKEMESSAGE: Certificate>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Validating certificate 0 in the chain: Serial number: 38287950977644781559739749665553903791
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)05, CN=VeriSign Class 3 Secure Server CA
      Subject:C=GB, ST=York, L=York, O=******tions plc, OU=***, OU=Terms of use at www.verisign.com/rpa (c)05, CN=www.***.com
      Not Valid Before:Thu Nov 06 00:00:00 GMT 2008
      Not Valid After:Sat Nov 06 23:59:59 GMT 2010
      Signature Algorithm:SHA1withRSA

      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Certificate chain is invalid because the issuer DN does not match the next certificate subject: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Signature verification failed>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Validating certificate 1 in the chain: Serial number: 4957........................6452
      Issuer:C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
      Subject:O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
      Not Valid Before:Thu Apr 17 01:00:00 BST 1997
      Not Valid After:Tue Oct 25 00:59:59 BST 2011
      Signature Algorithm:SHA1withRSA

      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Validating certificate 2 in the chain: Serial number: 14984........................2463
      Issuer:C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
      Subject:C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
      Not Valid Before:Mon Jan 29 00:00:00 GMT 1996
      Not Valid After:Wed Aug 02 00:59:59 BST 2028
      Signature Algorithm:MD2withRSA

      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <validationCallback: validateErr = 9>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> < cert[0] = Serial number: 3828...........................3903791
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)05, CN=VeriSign Class 3 Secure Server CA
      Subject:C=GB, ST=York, L=York, O=******tions plc, OU=***, OU=Terms of use at www.verisign.com/rpa (c)05, CN=www.***.com
      Not Valid Before:Thu Nov 06 00:00:00 GMT 2008
      Not Valid After:Sat Nov 06 23:59:59 GMT 2010
      Signature Algorithm:SHA1withRSA

      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> < cert[1] = Serial number: 4957366763..................9116452
      Issuer:C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
      Subject:O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
      Not Valid Before:Thu Apr 17 01:00:00 BST 1997
      Not Valid After:Tue Oct 25 00:59:59 BST 2011
      Signature Algorithm:SHA1withRSA



      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <weblogic user specified trustmanager validation status 9>
      <Aug 6, 2009 6:53:13 PM BST> <Warning> <Security> <BEA-090478> <Certificate chain received from www.****.com - ***** was not signed properly causing SSL handshake failure.>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Validation error = 9>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Certificate chain is invalid>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <SSLTrustValidator returns: 9>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Trust status (9): CERT_CHAIN_INVALID SIGNATURE_INVALID>
      <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <NEW ALERT with Severity: FATAL, Type: 42
      java.lang.Exception: New alert stack
           at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
           at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)

      +++++++++++++++++++++++++++++++++++++++++++++++++++++


      Regards
      N

      Edited by: user11704976 on Aug 8, 2009 5:04 AM

      Edited by: user11704976 on Aug 8, 2009 10:03 AM

      Edited by: user11704976 on Aug 8, 2009 10:04 AM

      Edited by: user11704976 on Aug 8, 2009 10:08 AM
        • 1. Re: SSL issue  - error message certificate chain not properly signed
          Anuj Dwivedi--Oracle
          Hi,

          I think problem is with the serial of certificates -

          <Aug 6, 2009 6:53:13 PM BST> <Debug> <SecuritySSL> <000000> <Certificate chain is invalid because the issuer DN does not match the next certificate subject: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign>

          Access that site (which your webservice client is accessing) using internet explorer, and check the certificate chain it is presenting(In Certification Path tab of the certificate which this site presents). It should be like -

          A Cert
          /--------- B Cert
          /--------- C cert

          A's subject name and issuer name should be same. B's issuer name should be A's subject name and similarly C's issuer name should be B's subject name.

          If possible, you may mail the certificate chain to my id (in my profile).

          Regards,
          Anuj

          Edited by: Anuj Dwivedi, Infosys on Aug 9, 2009 11:11 PM
          • 2. Re: SSL issue  - error message certificate chain not properly signed
            716133
            I thought so but then I validated the entire chain ( after exporting using browser) using openssl and weblogic utils.validateCertChain and both returned OK.
            And also it is a widely used site used by numerous clients who are not reporting any problem.

            Edited by: user11704976 on Aug 9, 2009 10:54 PM

            Edited by: user11704976 on Aug 9, 2009 10:57 PM
            • 3. Re: SSL issue  - error message certificate chain not properly signed
              Anuj Dwivedi--Oracle
              Hi,

              It's really strange!! You may like to use the following command-line argument to control the level of certificate validation performed by WebLogic Server -

              -Dweblogic.security.SSL.enforceConstraints=strict

              OR -Dweblogic.security.SSL.enforceConstraints=off

              In weblogic 9.2 user guide it is mentioned (See section Troubleshooting Problems with Certificate Validation at link http://e-docs.bea.com/wls/docs92/secmanage/ssl.html#wp1194486 ) -

              "If SSL communications that worked properly in a previous release of WebLogic Server start failing unexpectedly, the likely problem is that the certificate chain is failing the validation."

              Regards,
              Anuj
              • 4. Re: SSL issue  - error message certificate chain not properly signed
                716133
                I have already tried -Dweblogic.security.SSL.enforceConstraints=off with no effect. ....in startweblogic I put
                ..../java --Dweblogic.security.SSL.enforceConstraints=off ......
                Doesn't seem to help... really wierd.!

                However I noticed a warning when validating using utils.ValidateCertChain

                ...tryng utils.validateCertChain
                Cert[0]: CN=www.*********.com,OU=Terms of use at www.verisign.com/rpa (c)05,OU=******,O=************,L=York,ST=York,C=GB
                Cert[1]: CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
                CA is version 1, BasicConstraints extension will not be present which is valid for that version
                Cert[2]: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
                Certificate chain appears valid

                notice message ..CA is version 1, BasicConstraints extension will not be present which is valid for that version

                Edited by: user11704976 on Aug 10, 2009 3:13 AM
                • 5. Re: SSL issue  - error message certificate chain not properly signed
                  776235
                  Have you resolved this issue ?? I am also getting same problem .. , would you pls help ?
                  • 6. Re: SSL issue  - error message certificate chain not properly signed
                    Valery_Cherepanov
                    Hi,
                    To anyone who would ever stumble upon this -
                    I had the very same issue with "+Certificate chain received from www.----------.com - <ip----> was not signed properly causing+" on WL 10.3.4.0
                    Certificate was absolutely valid for browsers, java SSL implementation (I run the same code that creates SSL connection with a standalone Java VM with no issue) and a newer WL server (11g R1).
                    Both WL servers, the one I had problem with and another had default SSL/Keystore configurations - Demo trust. Importing root certificate into the Demo trust keystore did not help.

                    It looks to me that the problem is with the SSL implementation WL uses (from certicom) which for some reason handles Certificate chain signatures differently.
                    After setting property Server-Control-SSL-Advanced- Use JSSE SSL to true the error has gone away.

                    --Valery