Forum Stats

  • 3,826,612 Users
  • 2,260,677 Discussions
  • 7,897,031 Comments

Discussions

Categories

IOException: duplicate extensions not allowed when using Siemens certificate in server

WimVriend
WimVriend Member Posts: 1
edited Sep 27, 2018 9:15AM in Java Secure Socket Extension (JSSE)

Dear experts,

I am trying to connect to the webserver of a Siemens S7-1500 PLC using a java-based client (version 1.8.0_66). The following error is thrown:

27/09 13:50:02:040[WT-EventQueue-0] show[uri=http://10.58.200.70/Portal/Portal.mwsl?coming_from_intro=true&PriNav=Start&intro_enter_button=ENTER][parameters=coming_from_intro=true, PriNav=Start, intro_enter_button=ENTER, ]

27/09 13:50:04:724[zationUpdates-1] Load toc

sep 27, 2018 1:50:24 PM com.sun.webkit.network.URLLoader doRun

WARNING: Unexpected error

javax.net.ssl.SSLProtocolException: java.io.IOException: Duplicate extensions not allowed

    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(Unknown Source)

    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

    at sun.security.ssl.Handshaker.processLoop(Unknown Source)

    at sun.security.ssl.Handshaker.process_record(Unknown Source)

    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)

    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)

    at com.sun.webkit.network.URLLoader.sendRequest(Unknown Source)

    at com.sun.webkit.network.URLLoader.doRun(Unknown Source)

    at com.sun.webkit.network.URLLoader.lambda$run$91(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sun.webkit.network.URLLoader.run(Unknown Source)

    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

    at java.util.concurrent.FutureTask.run(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

    at java.lang.Thread.run(Unknown Source)

Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed

    at sun.security.x509.X509CertInfo.<init>(Unknown Source)

    at sun.security.x509.X509CertImpl.parse(Unknown Source)

    at sun.security.x509.X509CertImpl.<init>(Unknown Source)

    at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source)

    at java.security.cert.CertificateFactory.generateCertificate(Unknown Source)

    ... 21 more

Caused by: java.io.IOException: Duplicate extensions not allowed

    at sun.security.x509.CertificateExtensions.parseExtension(Unknown Source)

    at sun.security.x509.CertificateExtensions.init(Unknown Source)

    at sun.security.x509.CertificateExtensions.<init>(Unknown Source)

    at sun.security.x509.X509CertInfo.parse(Unknown Source)

    ... 26 more

It seems that the certificate created by Siemens is not exactly formatted the way java likes it. However, it is very well possible to connect to the webserver using any web-browser or non-java client, so it seems that only the java implementation considers this certificate to be "BAD".

Is there a way to bypass this problem? NB: it is not possible to change the certificate in the server!

· Share on TwitterShare on Facebook
This discussion has been closed.