1 Reply Latest reply: Jun 19, 2013 2:44 AM by e2500a92-2a5a-4213-836f-6834baec8d48 RSS

    Weblogic custom TrustManager ignored

    e2500a92-2a5a-4213-836f-6834baec8d48

      Hi, i'm two weblogic servers communicated by 2 way ssl. The truststore of server A doesn't contain Server B certificate because i want to validate the connection dinamically. Obviosly when server A try to connect to server B receives a CERT_CHAIN_UNTRUSTED message and weblogic finish the handshake. I've created a custom TrustManager (NulledTrustManager) on server A to let continue the handshake but it seems to be ignored. My code is:

       

      SSLContext sslCtx = SSLContext.getInstance("SSL");

      sslCtx.loadLocalIdentity(certChain, key);

      sslCtx.setTrustManager(new NulledTrustManager());

      sslCtx.setHostnameVerifier(new NulledHostnameVerifier());

      SSLSocketFactory slsf = sslCtx.getSocketFactory();

      SSLSocket socket = (SSLSocket)slsf.createSocket("localhost", 7002);

      socket.addHandshakeCompletedListener(new MyListener());

      OutputStream out = socket.getOutputStream();

      String req = "GET /index HTTP/1.0\r\n\r\n";

      out.write(req.getBytes());

      BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));

      String line = "";

      while ((line = br.readLine()) != null) {

      sos.println(line);

      }

      socket.close();

       

      The NulledTrustManager (it let continue all the requests):

       

      public class NulledTrustManager implements TrustManager {

      public boolean certificateCallback(X509Certificate[] o, int validateErr) {

        return true;

      }

      }

       

      The server A log after a connection is:

       

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 58988062797800385840231136164251226667

      Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB

      Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=94176m

      Not Valid Before:Sun Jun 16 13:00:37 CEST 2013

      Not Valid After:Sat Jun 17 13:00:37 CEST 2028

      Signature Algorithm:MD5withRSA

      >

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <  cert[0] = Serial number: 58988062797800385840231136164251226667

      Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB

      Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=94176m

      Not Valid Before:Sun Jun 16 13:00:37 CEST 2013

      Not Valid After:Sat Jun 17 13:00:37 CEST 2028

      Signature Algorithm:MD5withRSA

      >

      ERR_CERT_CHAIN_UNTRUSTED

      certificate 0 -- com.certicom.tls.provider.spec.JSAFE_RSAPublicKey@1a39f8

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>

      <19-jun-2013 09H33' CEST> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost - 127.0.0.1 was not trusted causing SSL handshake failure.>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16):  CERT_CHAIN_UNTRUSTED>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42

      java.lang.Exception: New alert stack

      at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)

      at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)

      at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)

      at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)

      at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)

      at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)

      at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)

      at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)

      at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)

      at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)

      at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)

      at com.certicom.tls.record.WriteHandler.write(Unknown Source)

      at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)

      at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)

      at es.msssi.Peticion_appC.doGet(Peticion_appC.java:101)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)

      at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)

      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)

      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)

      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3732)

      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)

      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

      at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)

      at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)

      at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)

      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

      at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

      >

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>

      <19-jun-2013 09H33' CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 14708438>

       

      Could you help me, i don't know if i need to do something more to establish a communication between servers A & B.