This discussion is archived
6 Replies Latest reply: Jul 11, 2012 1:49 AM by 948199 RSS

SSLKeyException: RSA premaster secret error when running from comand line

948199 Newbie
Currently Being Moderated
Welcome,
I'm writing https client using apache htclient library 4.1. I have self signed certificate.
It runs corect form my ide - STS Spring Tool Suite, but when run from command line(in bat file)

call C:\Java\jdk\jdk1.6.0_32x64\bin\java -Djavax.net.debug=all -Dcom.sun.management.jmxremote -Djavax.net.ssl.trustStore=jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=../lib com.myapp.Main

I get:

pool-1-thread-2, handling exception: javax.net.ssl.SSLKeyException: RSA premaster secret error
pool-1-thread-2, SEND TLSv1 ALERT: fatal, description = unexpected_message
pool-1-thread-2, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 0A .......
pool-1-thread-2, called closeSocket()
pool-1-thread-2, IOException in getSession(): javax.net.ssl.SSLKeyException: RSA premaster secret error
pool-1-thread-2, called close()
pool-1-thread-2, called closeInternal(true)
2012-07-09 14:09:53,053 pool-1-thread-2 [ERROR] - pool-1-thread-2 org.apache.commons.logging.Log -
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
...

Why it's working in sts?

I put jars from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html to jre folder.
I added certificate to trust store.
I am working on Windows7 64


Any help appreciated
Regards
  • 1. Re: SSLKeyException: RSA premaster secret error when running from comand line
    handat Expert
    Currently Being Moderated
    It won't find jssecacerts unless it is in the same directory as where you are running the command from.
    Try specifying the full path to your jssecacerts file.
  • 2. Re: SSLKeyException: RSA premaster secret error when running from comand line
    EJP Guru
    Currently Being Moderated
    -Djava.ext.dirs=../lib
    What's in there?
    I added certificate to trust store.
    You added the exported server certificate to the truststore?
  • 3. Re: SSLKeyException: RSA premaster secret error when running from comand line
    948199 Newbie
    Currently Being Moderated
    I changed my bat script now it's look like this:

    call java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=C:\Java\workspace\myapp-java\target\classes\jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=../lib com.myapp.Main

    and nothing change.
    I do one more test and set bad path to jssecacerts for example: C:\Javaaaaaaaaa\workspace\myapp-java\target\classes\jssecacerts
    and then I have different error:

    pool-1-thread-2, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    pool-1-thread-2, SEND TLSv1 ALERT: fatal, description = internal_error
    pool-1-thread-2, WRITE: TLSv1 Alert, length = 2
    [Raw write]: length = 7
    0000: 15 03 01 00 02 02 50 ......P
    pool-1-thread-2, called closeSocket()
    pool-1-thread-2, IOException in getSession(): javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    pool-1-thread-2, called close()
    pool-1-thread-2, called closeInternal(true)
    2012-07-11 09:09:25,972 pool-1-thread-2 [ERROR] - pool-1-thread-2 org.apache.commons.logging.Log - Exception happend waiting 5000 milisecond
    javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

    So I think that it is finding trustore in first time.
  • 4. Re: SSLKeyException: RSA premaster secret error when running from comand line
    948199 Newbie
    Currently Being Moderated
    EJP wrote:
    -Djava.ext.dirs=../lib
    What's in there?
    Copied maven dependency libraries:

    com.springsource.org.aopalliance-1.0.0.jar
    commons-codec-1.4.jar
    commons-collections-2.1.jar
    commons-dbcp-1.2.1.jar
    commons-logging-1.1.1.jar
    commons-pool-1.2.jar
    httpclient-4.1.jar
    httpcore-4.1.jar
    jdom-1.1.jar
    junit-3.8.1.jar
    log4j-1.2.16.jar
    mysql-connector-java-5.1.9.jar
    org.springframework.aop-3.0.5.RELEASE.jar
    org.springframework.asm-3.0.5.RELEASE.jar
    org.springframework.beans-3.0.5.RELEASE.jar
    org.springframework.context-3.0.5.RELEASE.jar
    org.springframework.core-3.0.5.RELEASE.jar
    org.springframework.expression-3.0.5.RELEASE.jar
    org.springframework.jdbc-3.0.5.RELEASE.jar
    org.springframework.transaction-3.0.5.RELEASE.jar
    spring-asm-3.0.5.RELEASE.jar
    spring-core-3.0.5.RELEASE.jar
    xercesImpl-2.0.2.jar
    xml-apis-1.0.b2.jar

    I added certificate to trust store.
    You added the exported server certificate to the truststore?
    I use program InstallCert to add certificate
    http://blog.danielpecos.com/wp-content/uploads/2010/12/InstallCert.zip

    from command line:
    java InstalCert host:443

    And on alias 192.168.1.2-1 it is adding entry

    And when i run
    c:\Java\workspace\myapp-java\target\classes>keytool -list -keystore jssecacerts
    On the list I can see:
    192.168.1.2-1, 2012-07-09, trustedCertEntry,
    Certificate fingerprint (MD5): F3:55:51:D8:03:6B:C1:B4:68:DD:B4:60:CA:5C:1B:45
  • 5. Re: SSLKeyException: RSA premaster secret error when running from comand line
    EJP Guru
    Currently Being Moderated
    java.ext.dirs is for approved Java extensions. JAR files should in general go in your own classpath, and java.ext.dirs is not intended as a shortcut for that. The only JARs in that list that might qualify are xercesImpl-2.0.2.jar
    xml-apis-1.0.b2.jar, and they are both extremely out of date. Xerces.jar is up to 2.9.1, and xml-apis.jar is up to 1.3.04 at least. The ones already supplied in the JDK is far newer than the ones you are using.
  • 6. Re: SSLKeyException: RSA premaster secret error when running from comand line
    948199 Newbie
    Currently Being Moderated
    EJP wrote:
    java.ext.dirs is for approved Java extensions. JAR files should in general go in your own classpath, and java.ext.dirs is not intended as a shortcut for that. The only JARs in that list that might qualify are xercesImpl-2.0.2.jar
    xml-apis-1.0.b2.jar, and they are both extremely out of date. Xerces.jar is up to 2.9.1, and xml-apis.jar is up to 1.3.04 at least. The ones already supplied in the JDK is far newer than the ones you are using.
    This old jars where from commons-dbcp-1.2.1.jar. I changed to 1.4 and they gone from my lib folder - thanks for tip.
    But that did not change anything.

    With you advice I changed my script to avoid using -Djava.ext.dirs

    And it is working :-) now corectly :-)

    So my problem is solved.

    Thanks for help


    My script:

    set MYCLASSPATH=.
    set MYCLASSPATH=%MYCLASSPATH1%;../lib/*

    call java -Djavax.net.ssl.trustStore=jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -cp %MYCLASSPATH% com.myapp.Main

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points