8 Replies Latest reply on Dec 5, 2012 1:27 PM by 910220

    Unrecognized critical extension ( in client certificate

      Hi all,

      I have created a web application that establishes 2-way SSL communication channel. Numerous client certificates have been tested, belonging to various CAs and no problem occurred. These days I'm testing a new certificate managed by a Turkish CA and unfortunately it cannot be validated due to the following error:

      <Dec 3, 2012 9:55:18 PM EET> <Warning> <Security> <BEA-090566> <The certificate chain received from XXX contained a V3 certificate with unrecognized critical extension:>
      <Dec 3, 2012 9:55:18 PM EET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
      java.lang.Exception: New alert stack
      at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
      at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
      at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
      at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
      at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
      at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
      at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
      at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
      at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
      at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
      at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
      at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
      at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)

      This is a qcStatement extension ( and is defined in the IETF RFC 3739 (http://www.faqs.org/rfcs/rfc3739.html). Unfortunately Weblogic seems not to support this RFC and the CertValidators fail to validate this certificate. I've tried many bypasses but nothing really worked, except if I add the certificate to the truststore which is completely out of the question. I can (and do) only add the issuing CA as a trustcacert.

      Has anyone faced this problem? Is there any solution to this?

      Any assistance will be really appreciated.

      Thank you in advance,
        • 1. Re: Unrecognized critical extension ( in client certificate
          Hello Paul,

          I did a quick research on this, and observed that this happens to be a bug in weblogic version 9.x and patches are available for the same version.

          Are you on the same version of weblogic?

          Hope this answers your question.

          • 2. Re: Unrecognized critical extension ( in client certificate
            Hi Jetendra,

            we're using weblogic 10.3.4, but I couldn't find anything on the internet regarding this error (and I did a looong search for it). Could you give me some directions?

            Thank you in advance.

            • 3. Re: Unrecognized critical extension ( in client certificate
              Olaf Heimburger-Oracle
              This is easy to fix:-

              1. Update the JRE jurisdication files of the JDK to use the strong jurisdication.
              2. In WLS turn on JSSE.
              3. Start WLS with these system property settings: -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true

              PS: In WLS 12c JSSE is used by default.
              PPS: I need to blog this one.
              1 person found this helpful
              • 4. Re: Unrecognized critical extension ( in client certificate
                I'm afraid that the problem persists (I used JSSE previously without the two system properties, but it didn't work). Again, I get an error message on the unrecognized critical extension.

                <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', fatal error: 46: General SSLEngine problem
                sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s)>
                <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', SEND TLSv1 ALERT: fatal, description = certificate_unknown>
                <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1 Alert, length = 2>
                <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem>
                <Dec 4, 2012 3:29:18 PM EET> <Debug> <SecuritySSL> <BEA-000000> <[Thread[ExecuteThread: '2' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.wrap(ByteBuffer,ByteBuffer).
                javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)

                Anyway, I appreciate your assistance.

                Best Regards,
                • 5. Re: Unrecognized critical extension ( in client certificate
                  Olaf Heimburger-Oracle
                  Sorry for being persistent, did you update your JDK with the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6" (this is the correct wording)?

                  You can find it here http://www.oracle.com/technetwork/java/javase/downloads/index.html (at the very end).

                  • 6. Re: Unrecognized critical extension ( in client certificate
                    Yes I have installed the jurisdiction policy files. Actually, I'm working on security issues for some time now but I've never encountered a certificate with an V3 extensions with oid (which causes the problem).

                    I've tried switching on/off JSSE, using Bouncy Castle as the security provider, jdk 6 (_37) and jdk7, but still nothing.

                    Edited by: PaulP on Dec 4, 2012 6:59 AM
                    • 7. Re: Unrecognized critical extension ( in client certificate
                      Mohammed Rayan-Oracle

                      I checked the RFC and it states QC as an OPTIONAL extension only.
                      So why not try to update the certificate extension from critical to non-critical and check it.

                      *3.2.6. Qualified Certificate Statements*

                      This section defines an OPTIONAL extension for the inclusion of
                      statements defining explicit properties of the certificate.

                      Each statement SHALL include an object identifier for the statement
                      and MAY also include optional qualifying data contained in the
                      statementInfo parameter.

                      If the statementInfo parameter is included, then the object
                      identifier of the statement SHALL define the syntax and SHOULD define
                      the semantics of this parameter.  If the object identifier does not
                      define the semantics, a relying party may have to consult a relevant
                      certificate policy or CPS to determine the exact semantics.

                      This extension may be critical or non-critical.  If the extension is
                      critical, this means that all statements included in the extension
                      are regarded as critical.

                      *qcStatements  EXTENSION ::= {*
                      SYNTAX             QCStatements
                      IDENTIFIED BY      id-pe-qcStatements }

                      -ext option is available in the keytool starting from JDK7

                      It is only possible with JDK 7.

                      -ext {name{:critical}{=value}}
                      Denotes an X.509 certificate extension. The option can be used in -genkeypair and -gencert to embed extensions into the certificate generated, or in -certreq to show what extensions are requested in the certificate request. The option can appear multiple times. name can be a supported extension name (see below) or an arbitrary OID number. value, if provided, denotes the parameter for the extension; if omitted, denotes the default value (if defined) of the extension or the extension requires no parameter. The :critical modifier, if provided, means the extension's isCritical attribute is true; otherwise, false. You may use :c in place of :critical.


                      • 8. Re: Unrecognized critical extension ( in client certificate
                        Hello there,

                        first of all, I deeply appreciate your contribution.

                        Your comment is 100% correct. This statement should be optional but it is critical instead. The problem is that this is not a certificate that I control, but instead an official qualified personal certificate (actually it refers to a dummy person, but the structure is the same) placed in a gemalto-based smart card and managed by a Turkish CA.

                        In any case, I realize that this may not be the correct forum to send my question since it has to do with Java security and not WebLogic.

                        Nevertheless, I'll keep the post in case someone has faced and solved this problem.

                        Thank you all again for your assistance,

                        Best Regards,