6 Replies Latest reply: Apr 21, 2011 11:31 PM by 855850 RSS

    Help requested with Importing a website's CA certificate into my Java App

    855850
      Hello everyone,

      First of all, I'm not sure if this is the right category for my question, so if not please move it appropriately.

      I'm creating a desktop application that will update your IPv4 address to Tunnelbroker (Hurricane Electric's IPv6 tunnel service). Right now it's about 76% complete, and I'm testing it out. My problem is this: Tunnelbroker uses their own CA Certificate (SSL) for their https:// connection, and it's not valid in Java/Netbeans. So, whenever I try to update the IPv4 address, I get the following
      Can't read from the Internet: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ipv4.tunnelbroker.net found
      The website is https://ipv4.tunnelbroker.net (so you can verify that it's a valid site/certificate).

      I've found workarounds for importing my OWN CA Certificate into the application (or Netbeans), but nothing about importing a valid third-party CA Certificate into the application (or Netbeans). I've posted this question to the Netbeans forums--but have yet to receive anything from them. Also, I've found workarounds for trusting all certificates (although I'm not sure how to implement that into my application).

      What I'm looking for is either a) how to import the certificate into my application, so the user won't have to deal with it b) a workaround to bypass the security check c) any other method of getting over this hurdle.

      I'd say I'm an intermediate developer, so pointing me to something like "Adding a Certificate Exception" is fine, except that I need to know whether I can take everything inside of the main method and put it as it's own method somewhere (or do I need to create an entire class for that portion).

      Also, I don't necessarily want to use the "Trust All Certificates" method. Even though the end-user won't be able to change the site, I don't want to create that much of a security hole.

      Thank you for any assistance in this. (As an aside note, this will enable me to finally mark another "open" question as answered, as I haven't been able to test it yet because of this issue).

      Have a great day:)
      Patrick.
        • 1. Re: Help requested with Importing a website's CA certificate into my Java App
          EJP
          Someone from Sun posted code to do exactly this some years ago. I have it bookmarked on a different computer, will follow up with the URL when I find it.
          • 2. Re: Help requested with Importing a website's CA certificate into my Java App
            855850
            Awesome. Thank you very much for this. I'll be looking forward to it.

            Have a great day:)
            Patrick.
            • 3. Re: Help requested with Importing a website's CA certificate into my Java App
              EJP
              http://blogs.sun.com/andreas/entry/no_more_unable_to_find
              • 4. Re: Help requested with Importing a website's CA certificate into my Java App
                855850
                EJP wrote:
                http://blogs.sun.com/andreas/entry/no_more_unable_to_find
                Hi EJP,

                I'm one step ahead of you (sort of). I found that post, and followed it. Although I do have a few questions about it. One is somewhat stupid (as I think I should --and do know the answer to it).  In the blog post, Andreas refers to "copy it into your $JAVA_HOME/jre/lib/security directory. "  I'm not sure if I copied it into the right directory (as I'm running Ubuntu, and there are a few different locations with /jre/lib/security).  So, how do I find the right directory?  In my case, I chose "/usr/lib/jvm/java-6-openjdk/jre/lib/security" for the directory location.

                Along that line, I'm creating the application in JavaFX, so do the JSSE cacerts still apply (I would think "yes" because the url utility and https utility are in Java--not JavaFX, but I want to make sure). If so, then I may just try the documentation route, to force netbeans to use my jssecacerts file instead of it's builtin.ks file (which is where I'm running into this issue).

                Third, when I deploy the application, will it deploy the certificate also (or will the user have to manually import the certificate somehow)? I'm assuming that the user will have the certificate in their browser store already. I'd say it's a safe assumption because in order to use the tunnelbroker service, you have to go to the website that I'm pointing to (in order to update your IPv4 endpoint) or use an automated script.

                If it sounds like I'm more new to this than I let on, I probably am.. I've had three courses in Java in school, and have programmed in other languages (mostly dead ones that no one has ever heard of) in school. This is my first solo (non-school) project that I'm undertaking in Java.

                Thanks for all of your help, and have a great day:)
                Patrick.
                • 5. Re: Help requested with Importing a website's CA certificate into my Java App
                  EJP
                  1. It should be in the directory of the JRE, not the JDK. The end user won't have one.

                  2. Dunno, I would think so.

                  3. This is a step for the end user to perform, not you. You don't want to be telling the end user who to trust, for all kinds of legal liability reasons. You want him to decide.
                  • 6. Re: Help requested with Importing a website's CA certificate into my Java App
                    855850
                    EJP wrote:
                    1. It should be in the directory of the JRE, not the JDK. The end user won't have one.

                    2. Dunno, I would think so.

                    3. This is a step for the end user to perform, not you. You don't want to be telling the end user who to trust, for all kinds of legal liability reasons. You want him to decide.
                    Hello again.

                    I have an update to this. I found out that the domain tunnelbroker.net is in my cacerts (at least if I run a small program to test the SSL Certificate for the site), however since it doesn't list ipv4.tunnelbroker.net as an alternative (that I can see), this is why I'm getting the SSL HandshakeException error.

                    Here is the script that I ran (compiled and then used java -Djavax.net.debug=all TestSSL https://ipv4.tunnelbroker.net to run it.
                    import java.io.BufferedReader;
                    import java.io.InputStream;
                    import java.io.InputStreamReader;
                    import java.net.URL;
                    import java.net.URLConnection;
                    
                    /**
                     * @author Daryl Banttari
                     *
                     */
                    public class TestSSL {
                    
                        public static void main(String[] args) {
                            // default url:
                    
                            String urlString = "https://www.paypal.com/";
                    
                            // if any url specified, use that instead:
                    
                            if(args.length > 0) {
                                urlString = args[0];
                            }
                            System.out.println("Connecting to " + urlString + "...");
                            
                            try {
                                // convert user string to URL object
                    
                                URL url = new URL(urlString);
                    
                                // connect!
                    
                                URLConnection cnx = url.openConnection();
                                cnx.connect();
                    
                                // read the page returned
                    
                                InputStream ins = cnx.getInputStream();
                                BufferedReader in = new BufferedReader(new InputStreamReader(ins));
                                String curline;
                                while( (curline = in.readLine()) != null ) {
                                    System.out.println(curline);
                                }
                    
                                // close the connection
                    
                                ins.close();
                            }
                            catch(Throwable t) {
                                t.printStackTrace();
                            }
                    
                        }
                    }
                    And here are the results of the complete debugging ***** WARNING there's a lot here ****

                    >
                    Connecting to https://ipv4.tunnelbroker.net...
                    keyStore is :
                    keyStore type is : jks
                    keyStore provider is :
                    init keystore
                    init keymanager of type SunX509
                    trustStore is: /usr/lib/jvm/java-6-openjdk/jre/lib/security/jssecacerts
                    trustStore type is : jks
                    trustStore provider is :
                    init truststore

                    < ... Snipped to conserve space... >

                    adding as trusted cert:
                    Subject: OU=RSA Security 1024 V3, O=RSA Security Inc
                    Issuer: OU=RSA Security 1024 V3, O=RSA Security Inc
                    Algorithm: RSA; Serial number: 0xa0101010000027c0000000b00000002
                    Valid from Thu Feb 22 15:01:49 CST 2001 until Sun Feb 22 14:01:49 CST 2026

                    adding as trusted cert:
                    Subject: EMAILADDRESS=info@he.net, CN=tunnelbroker.net, OU=IPV6, O="Hurricane Electric, LLC", L=Fremont, ST=California, C=US
                    Issuer: EMAILADDRESS=info@he.net, CN=tunnelbroker.net, OU=IPV6, O="Hurricane Electric, LLC", L=Fremont, ST=California, C=US
                    Algorithm: RSA; Serial number: 0xbc201a57ebb49897
                    Valid from Tue Jul 10 20:35:31 CDT 2007 until Fri Jul 07 20:35:31 CDT 2017

                    adding as trusted cert:
                    Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                    Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
                    Valid from Thu Sep 30 19:00:00 CDT 1999 until Wed Jul 16 18:59:59 CDT 2036

                    adding as trusted cert:
                    Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
                    Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
                    Algorithm: RSA; Serial number: 0x1
                    Valid from Tue May 30 05:38:31 CDT 2000 until Sat May 30 05:38:31 CDT 2020

                    adding as trusted cert:
                    Subject: CN=CC Signet - PCA Klasa 2, OU=Centrum Certyfikacji Signet, O=TP Internet Sp. z o.o., C=PL
                    Issuer: CN=CC Signet - RootCA, OU=Centrum Certyfikacji Signet, O=TP Internet Sp. z o.o., C=PL
                    Algorithm: RSA; Serial number: 0x3cbede10
                    Valid from Thu Apr 18 09:54:08 CDT 2002 until Mon Sep 21 10:42:19 CDT 2026

                    < ... Snipped to conserve space... >

                    trigger seeding of SecureRandom
                    done seeding SecureRandom
                    Allow unsafe renegotiation: false
                    Allow legacy hello messages: true
                    Is initial handshake: true
                    Is secure renegotiation: false
                    %% No cached client session
                    *** ClientHello, TLSv1
                    RandomCookie: GMT: 1286668278 bytes = { 67, 34, 247, 171, 23, 198, 239, 55, 170, 174, 198, 240, 212, 155, 66, 209, 111, 146, 87, 177, 42, 3, 70, 62, 239, 10, 223, 89 }
                    Session ID: {}
                    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
                    Compression Methods: { 0 }
                    Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
                    Extension ec_point_formats, formats: [uncompressed]
                    ***
                    [write] MD5 and SHA1 hashes: len = 177
                    0000: 01 00 00 AD 03 01 4D B1 00 F6 43 22 F7 AB 17 C6 ......M...C"....
                    0010: EF 37 AA AE C6 F0 D4 9B 42 D1 6F 92 57 B1 2A 03 .7......B.o.W.*.
                    0020: 46 3E EF 0A DF 59 00 00 46 00 04 00 05 00 2F 00 F>...Y..F...../.
                    0030: 35 C0 02 C0 04 C0 05 C0 0C C0 0E C0 0F C0 07 C0 5...............
                    0040: 09 C0 0A C0 11 C0 13 C0 14 00 33 00 39 00 32 00 ..........3.9.2.
                    0050: 38 00 0A C0 03 C0 0D C0 08 C0 12 00 16 00 13 00 8...............
                    0060: 09 00 15 00 12 00 03 00 08 00 14 00 11 00 FF 01 ................
                    0070: 00 00 3E 00 0A 00 34 00 32 00 17 00 01 00 03 00 ..>...4.2.......
                    0080: 13 00 15 00 06 00 07 00 09 00 0A 00 18 00 0B 00 ................
                    0090: 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 00 02 00 ................
                    00A0: 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 02 01 ................
                    00B0: 00 .
                    main, WRITE: TLSv1 Handshake, length = 177
                    [write] MD5 and SHA1 hashes: len = 173
                    0000: 01 03 01 00 84 00 00 00 20 00 00 04 01 00 80 00 ........ .......
                    0010: 00 05 00 00 2F 00 00 35 00 C0 02 00 C0 04 01 00 ..../..5........
                    0020: 80 00 C0 05 00 C0 0C 00 C0 0E 00 C0 0F 00 C0 07 ................
                    0030: 05 00 80 00 C0 09 06 00 40 00 C0 0A 07 00 C0 00 ........@.......
                    0040: C0 11 00 C0 13 00 C0 14 00 00 33 00 00 39 00 00 ..........3..9..
                    0050: 32 00 00 38 00 00 0A 07 00 C0 00 C0 03 02 00 80 2..8............
                    0060: 00 C0 0D 00 C0 08 00 C0 12 00 00 16 00 00 13 00 ................
                    0070: 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02 00 ....@...........
                    0080: 80 00 00 08 00 00 14 00 00 11 00 00 FF 4D B1 00 .............M..
                    0090: F6 43 22 F7 AB 17 C6 EF 37 AA AE C6 F0 D4 9B 42 .C".....7......B
                    00A0: D1 6F 92 57 B1 2A 03 46 3E EF 0A DF 59 .o.W.*.F>...Y
                    main, WRITE: SSLv2 client hello message, length = 173
                    [Raw write]: length = 175
                    0000: 80 AD 01 03 01 00 84 00 00 00 20 00 00 04 01 00 .......... .....
                    0010: 80 00 00 05 00 00 2F 00 00 35 00 C0 02 00 C0 04 ....../..5......
                    0020: 01 00 80 00 C0 05 00 C0 0C 00 C0 0E 00 C0 0F 00 ................
                    0030: C0 07 05 00 80 00 C0 09 06 00 40 00 C0 0A 07 00 ..........@.....
                    0040: C0 00 C0 11 00 C0 13 00 C0 14 00 00 33 00 00 39 ............3..9
                    0050: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 C0 03 02 ..2..8..........
                    0060: 00 80 00 C0 0D 00 C0 08 00 C0 12 00 00 16 00 00 ................
                    0070: 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 ......@.........
                    0080: 02 00 80 00 00 08 00 00 14 00 00 11 00 00 FF 4D ...............M
                    0090: B1 00 F6 43 22 F7 AB 17 C6 EF 37 AA AE C6 F0 D4 ...C".....7.....
                    00A0: 9B 42 D1 6F 92 57 B1 2A 03 46 3E EF 0A DF 59 .B.o.W.*.F>...Y
                    [Raw read]: length = 5
                    0000: 16 03 01 00 4A ....J
                    [Raw read]: length = 74
                    0000: 02 00 00 46 03 01 4D B1 00 F7 8B D6 E1 5A 42 BB ...F..M......ZB.
                    0010: D1 66 3D CE D6 7F 41 55 27 58 A2 01 35 FF D0 EA .f=...AU'X..5...
                    0020: CF 1A 4A 04 B1 D5 20 59 F2 13 A1 03 B2 1F 39 58 ..J... Y......9X
                    0030: 54 BB DA C2 4C F4 BB 17 54 F0 D7 13 5D B0 23 ED T...L...T...].#.
                    0040: 3F 31 7D E8 BA 59 62 00 04 00 ?1...Yb...
                    main, READ: TLSv1 Handshake, length = 74
                    *** ServerHello, TLSv1
                    RandomCookie: GMT: 1286668279 bytes = { 139, 214, 225, 90, 66, 187, 209, 102, 61, 206, 214, 127, 65, 85, 39, 88, 162, 1, 53, 255, 208, 234, 207, 26, 74, 4, 177, 213 }
                    Session ID: {89, 242, 19, 161, 3, 178, 31, 57, 88, 84, 187, 218, 194, 76, 244, 187, 23, 84, 240, 215, 19, 93, 176, 35, 237, 63, 49, 125, 232, 186, 89, 98}
                    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
                    Compression Method: 0
                    ***
                    Warning: No renegotiation indication extension in ServerHello
                    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
                    ** SSL_RSA_WITH_RC4_128_MD5
                    [read] MD5 and SHA1 hashes: len = 74
                    0000: 02 00 00 46 03 01 4D B1 00 F7 8B D6 E1 5A 42 BB ...F..M......ZB.
                    0010: D1 66 3D CE D6 7F 41 55 27 58 A2 01 35 FF D0 EA .f=...AU'X..5...
                    0020: CF 1A 4A 04 B1 D5 20 59 F2 13 A1 03 B2 1F 39 58 ..J... Y......9X
                    0030: 54 BB DA C2 4C F4 BB 17 54 F0 D7 13 5D B0 23 ED T...L...T...].#.
                    0040: 3F 31 7D E8 BA 59 62 00 04 00 ?1...Yb...
                    [Raw read]: length = 5
                    0000: 16 03 01 02 BF .....
                    [Raw read]: length = 703
                    0000: 0B 00 02 BB 00 02 B8 00 02 B5 30 82 02 B1 30 82 ..........0...0.
                    0010: 02 1A 02 09 00 BC 20 1A 57 EB B4 98 97 30 0D 06 ...... .W....0..
                    0020: 09 2A 86 48 86 F7 0D 01 01 04 05 00 30 81 9C 31 .*.H........0..1
                    0030: 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 .0...U....US1.0.
                    0040: 06 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 ..U....Californi
                    0050: 61 31 10 30 0E 06 03 55 04 07 13 07 46 72 65 6D a1.0...U....Frem
                    0060: 6F 6E 74 31 20 30 1E 06 03 55 04 0A 13 17 48 75 ont1 0...U....Hu
                    0070: 72 72 69 63 61 6E 65 20 45 6C 65 63 74 72 69 63 rricane Electric
                    0080: 2C 20 4C 4C 43 31 0D 30 0B 06 03 55 04 0B 13 04 , LLC1.0...U....
                    0090: 49 50 56 36 31 19 30 17 06 03 55 04 03 13 10 74 IPV61.0...U....t
                    00A0: 75 6E 6E 65 6C 62 72 6F 6B 65 72 2E 6E 65 74 31 unnelbroker.net1
                    00B0: 1A 30 18 06 09 2A 86 48 86 F7 0D 01 09 01 16 0B .0...*.H........
                    00C0: 69 6E 66 6F 40 68 65 2E 6E 65 74 30 1E 17 0D 30 info@he.net0...0
                    00D0: 37 30 37 31 31 30 31 33 35 33 31 5A 17 0D 31 37 70711013531Z..17
                    00E0: 30 37 30 38 30 31 33 35 33 31 5A 30 81 9C 31 0B 0708013531Z0..1.
                    00F0: 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 0...U....US1.0..
                    0100: 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 .U....California
                    0110: 31 10 30 0E 06 03 55 04 07 13 07 46 72 65 6D 6F 1.0...U....Fremo
                    0120: 6E 74 31 20 30 1E 06 03 55 04 0A 13 17 48 75 72 nt1 0...U....Hur
                    0130: 72 69 63 61 6E 65 20 45 6C 65 63 74 72 69 63 2C ricane Electric,
                    0140: 20 4C 4C 43 31 0D 30 0B 06 03 55 04 0B 13 04 49 LLC1.0...U....I
                    0150: 50 56 36 31 19 30 17 06 03 55 04 03 13 10 74 75 PV61.0...U....tu
                    0160: 6E 6E 65 6C 62 72 6F 6B 65 72 2E 6E 65 74 31 1A nnelbroker.net1.
                    0170: 30 18 06 09 2A 86 48 86 F7 0D 01 09 01 16 0B 69 0...*.H........i
                    0180: 6E 66 6F 40 68 65 2E 6E 65 74 30 81 9F 30 0D 06 nfo@he.net0..0..
                    0190: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 .*.H............
                    01A0: 30 81 89 02 81 81 00 D7 24 7C 25 2A 7E 69 75 4A 0.......$.%*.iuJ
                    01B0: 85 01 91 86 60 8F 2C 96 E4 BE 96 E4 B6 36 28 A1 ....`.,......6(.
                    01C0: 7A 56 53 5C 01 A4 13 C8 6B 96 44 B7 5E 3D C0 60 zVS\....k.D.^=.`
                    01D0: B9 27 75 D5 A0 72 84 D7 54 C9 48 F4 B2 B4 B4 44 .'u..r..T.H....D
                    01E0: 0C 3D 90 48 57 F4 17 8D 71 EA 1E F8 4E 6F 88 68 .=.HW...q...No.h
                    01F0: 4F 5E 30 F9 56 F2 48 F4 57 18 3A 94 89 A9 09 60 O^0.V.H.W.:....`
                    0200: 19 CD 15 98 88 47 C3 80 E7 50 30 33 DF A9 51 91 .....G...P03..Q.
                    0210: A4 34 40 09 60 C5 C4 F9 38 7C 7A EB 5A F3 3C 63 .4@.`...8.z.Z.<c
                    0220: 3D 2D 24 12 08 C6 6F 02 03 01 00 01 30 0D 06 09 =-$...o.....0...
                    0230: 2A 86 48 86 F7 0D 01 01 04 05 00 03 81 81 00 55 *.H............U
                    0240: 45 96 28 96 33 CD 36 1C 3A 98 96 8B DE 20 93 99 E.(.3.6.:.... ..
                    0250: 75 C9 D7 86 94 2E 62 69 C3 80 71 C2 F4 F0 1A 74 u.....bi..q....t
                    0260: E5 5C 63 37 64 92 60 68 43 50 0F 49 FB A0 90 71 .\c7d.`hCP.I...q
                    0270: 1C EF 37 3F BF 38 E2 32 55 6C EB 63 C5 6A A1 71 ..7?.8.2Ul.c.j.q
                    0280: 8B AF 76 0A 49 C6 0A 7C 32 0A 7F 87 9B F3 C5 5B ..v.I...2......[
                    0290: 1F 98 9C EC 8D 2C 28 E2 DA 83 98 6D 36 6B 7B DE .....,(....m6k..
                    02A0: E7 E6 26 4A AC E9 3F 84 96 4E CB B6 EC C5 13 5D ..&J..?..N.....]
                    02B0: 99 45 A0 CB 4B AB BA 08 B7 DF 51 7D CB B7 1F .E..K.....Q....
                    main, READ: TLSv1 Handshake, length = 703
                    *** Certificate chain
                    chain [0] = [
                    [
                    Version: V1
                    Subject: EMAILADDRESS=info@he.net, CN=tunnelbroker.net, OU=IPV6, O="Hurricane Electric, LLC", L=Fremont, ST=California, C=US
                    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

                    Key: Sun RSA public key, 1024 bits
                    modulus: 151078214832725997135839062949249516337507001175872585678208884131491712232432816986255053685674730439436945979324335861205079532450830475393857978740049212402170775011735778076852329233310431150139137152539823492882314808967689085169519290729775244738682251391827885615393137851975032443040800861047648470639
                    public exponent: 65537
                    Validity: [From: Tue Jul 10 20:35:31 CDT 2007,
                                   To: Fri Jul 07 20:35:31 CDT 2017]
                    Issuer: EMAILADDRESS=info@he.net, CN=tunnelbroker.net, OU=IPV6, O="Hurricane Electric, LLC", L=Fremont, ST=California, C=US
                    SerialNumber: [    bc201a57 ebb49897]

                    ]
                    Algorithm: [MD5withRSA]
                    Signature:
                    0000: 55 45 96 28 96 33 CD 36 1C 3A 98 96 8B DE 20 93 UE.(.3.6.:.... .
                    0010: 99 75 C9 D7 86 94 2E 62 69 C3 80 71 C2 F4 F0 1A .u.....bi..q....
                    0020: 74 E5 5C 63 37 64 92 60 68 43 50 0F 49 FB A0 90 t.\c7d.`hCP.I...
                    0030: 71 1C EF 37 3F BF 38 E2 32 55 6C EB 63 C5 6A A1 q..7?.8.2Ul.c.j.
                    0040: 71 8B AF 76 0A 49 C6 0A 7C 32 0A 7F 87 9B F3 C5 q..v.I...2......
                    0050: 5B 1F 98 9C EC 8D 2C 28 E2 DA 83 98 6D 36 6B 7B [.....,(....m6k.
                    0060: DE E7 E6 26 4A AC E9 3F 84 96 4E CB B6 EC C5 13 ...&J..?..N.....
                    0070: 5D 99 45 A0 CB 4B AB BA 08 B7 DF 51 7D CB B7 1F ].E..K.....Q....

                    ]
                    ***
                    Found trusted certificate:
                    [
                    [
                    Version: V1
                    Subject: EMAILADDRESS=info@he.net, CN=tunnelbroker.net, OU=IPV6, O="Hurricane Electric, LLC", L=Fremont, ST=California, C=US
                    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

                    Key: Sun RSA public key, 1024 bits
                    modulus: 151078214832725997135839062949249516337507001175872585678208884131491712232432816986255053685674730439436945979324335861205079532450830475393857978740049212402170775011735778076852329233310431150139137152539823492882314808967689085169519290729775244738682251391827885615393137851975032443040800861047648470639
                    public exponent: 65537
                    Validity: [From: Tue Jul 10 20:35:31 CDT 2007,
                                   To: Fri Jul 07 20:35:31 CDT 2017]
                    Issuer: EMAILADDRESS=info@he.net, CN=tunnelbroker.net, OU=IPV6, O="Hurricane Electric, LLC", L=Fremont, ST=California, C=US
                    SerialNumber: [    bc201a57 ebb49897]

                    ]
                    Algorithm: [MD5withRSA]
                    Signature:
                    0000: 55 45 96 28 96 33 CD 36 1C 3A 98 96 8B DE 20 93 UE.(.3.6.:.... .
                    0010: 99 75 C9 D7 86 94 2E 62 69 C3 80 71 C2 F4 F0 1A .u.....bi..q....
                    0020: 74 E5 5C 63 37 64 92 60 68 43 50 0F 49 FB A0 90 t.\c7d.`hCP.I...
                    0030: 71 1C EF 37 3F BF 38 E2 32 55 6C EB 63 C5 6A A1 q..7?.8.2Ul.c.j.
                    0040: 71 8B AF 76 0A 49 C6 0A 7C 32 0A 7F 87 9B F3 C5 q..v.I...2......
                    0050: 5B 1F 98 9C EC 8D 2C 28 E2 DA 83 98 6D 36 6B 7B [.....,(....m6k.
                    0060: DE E7 E6 26 4A AC E9 3F 84 96 4E CB B6 EC C5 13 ...&J..?..N.....
                    0070: 5D 99 45 A0 CB 4B AB BA 08 B7 DF 51 7D CB B7 1F ].E..K.....Q....

                    ]
                    main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
                    main, WRITE: TLSv1 Alert, length = 2
                    [Raw write]: length = 7
                    0000: 15 03 01 00 02 02 2E .......
                    main, called closeSocket()
                    main, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ipv4.tunnelbroker.net found
                    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ipv4.tunnelbroker.net found
                         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1665)
                         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258)
                         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252)
                         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
                         at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
                         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
                         at sun.security.ssl.Handshaker.process_record(Handshaker.java:546)
                         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:913)
                         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1158)
                         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1185)
                         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1169)
                         at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440)
                         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
                         at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
                         at TestSSL.main(TestSSL.java:33)
                    Caused by: java.security.cert.CertificateException: No name matching ipv4.tunnelbroker.net found
                         at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:225)
                         at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
                         at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:285)
                         at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:271)
                         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
                         ... 11 more

                    {quote}

                    So, now I'm trying to figure out how to get past this. Unless (and until) Tunnelbroker includes the alternative name in their certificate (or if it's included already, until I figure out how to get that alternative imported into my truststore), I'm never going to be able to update via java.

                    Have a great day:)
                    Patrick.