Y2k bug in JSSE sample program URLReaderWithOptions.java
Andrew
command line:
java -classpath .;jcert.jar;jnet.jar;jsse.jar URLReaderWithOptions -k
com.sun.net.ssl.internal.www.protocol -h proxy.cat.com -p 80
I get an SSLException if the client computer's date is after the year
2000.
Exception in thread "main" javax.net.ssl.SSLException: untrusted server
cert cha
in
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:65)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:818)
at URLReaderWithOptions.main(URLReaderWithOptions.java, Compiled
Code)
When the client's computer date is set to Dec. 31, 1999, verisign's html
code
is displayed on the client without any exceptions.
The verisign home page certificate that is accessed by the sample
program is valid through July of 2000.
I initially found this bug in some of my own code that downloads files
from an
https secure server inside a firewall that exhibits the exact same bug
as the
Sun example.
Any help would be appreciated,
Andrew Westberg
Mark Wittl
Sure enough....I had some sample HTTPS programs I had written using the JSSE
that worked as recently as last Friday. I tried them today and got the same
error messages as you. I then set my clock back to 12/4/99 and EVERYTHING
WORKED. Now what do we do??
- Mark Wittl
- Sr. Designer, Norfolk Southern Corp.
- mew...@nscorp.com
Andrew <and...@pic.cat.com> wrote in message
news:3872229F...@pic.cat.com...
Andrew
is the e-mail response I received from them.
Andrew-
The bug report you submitted has been determined to
be a new bug. It has been entered into our internal
bug tracking system with the assigned Bug Id: 4302483
The state of the bug can be monitored via the The Java
Developer Connection Bug Parade at:
http://developer.java.sun.com/developer/bugParade/index.jshtml
It may take a day or two before your bug shows up in this
external database.
The Java Developer Connection is a free channel that is maintained
by staff here at Sun. Access this web page to join:
http://developer.java.sun.com/servlet/RegistrationServlet
The home page for the Java Developer Connection is:
http://java.sun.com/jdc
Regards, Sheri
----------------- Original Bug Report-------------------
category : jsse
subcategory : examples
type : bug
synopsis : SSLException occurs in URLReaderWithOptions example program
description : This exception is the same as Bug Id 4283025 which closed as not a
bug.
However, this example works fine for a 1999 date and does not work for
a Year 2000 date.
java version "1.2.2"
Classic VM (build JDK-1.2.2-W, native threads, symcjit)
When running the URLReaderWithOptions example jsse program with the command
line:
C:\jdk1.2.2\jsse1.0\samples\urls>java -classpath .;jcert.jar;jnet.jar;jsse.jar U
RLReaderWithOptions -k com.sun.net.ssl.internal.www.protocol -h proxy.cat.com -p
80
When run with the client's date set to Jan 4, 2000, the program crashes with
the following SSLException:
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert
chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:65)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198
])
at
com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-V1.2-120198]
)
at
com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPr
o-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([
DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:818)
at URLReaderWithOptions.main(URLReaderWithOptions.java, Compiled Code)
When the client's computer date is set to Dec. 31, 1999, verisign's html code
is displayed on the client without any exceptions.
The verisign home page certificate is valid through July of 2000.
I initially found this bug in some of my own code that downloads files from an
https secure server inside a firewall that exhibits the exact same bug as the
Sun example.
workaround : Set the user's computer to December 31, 1999
suggested_val :
cust_name : Andrew Westberg
cust_email : westberg...@cat.com
jdcid :
keyword : webbug
company : Caterpillar Incorporated
release : 1.0
hardware : x86
OSversion : win_nt_4.0
priority : 3
bugtraqID : 0
dateCreated : 2000-01-04 06:56:07.0
dateEvaluated : 2000-01-04 09:16:49.9
Peter...@csfb.com
Did you hear any further information from Sun?
I note that the bug hasn't made it to their bug
database yet.
Does anyone have suggestions of workarounds or
alternate public domain or commercial SSL implementations
that support HTTPS?
Peter Booth
Peter...@csfb.com
In article <387262A1...@pic.cat.com>,
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-
V1.2-120198
>
> ])
> at
> com.sun.net.ssl.internal.www.https.HttpsClient.doConnect([DashoPro-
V1.2-120198]
>
> )
> at
> com.sun.net.ssl.internal.www.NetworkClient.openServer([DashoPro-V1.2-
120198])
> at
> com.sun.net.ssl.internal.www.https.HttpClient.d([DashoPro-V1.2-
120198])
> at
> com.sun.net.ssl.internal.www.https.HttpClient.<init>([DashoPro-V1.2-
120198])
> at
> com.sun.net.ssl.internal.www.https.HttpsClient.<init>([DashoPro-V1.2-
120198])
> at
> com.sun.net.ssl.internal.www.https.HttpsClient.New([DashoPro-V1.2-
120198])
> at
>
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect
([DashoPr
>
> o-V1.2-120198])
> at
>
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputS
tream([
>
> DashoPro-V1.2-120198])
([DashoPro-V1.2-
> > 120198])
> > >
> > > at
> > >
> > com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-
V1.2-120198
> > ])
> > >
> > > at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-
120198])
> > > at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-
120198])
> > > at
> > > com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-
120198])
> > >
> > > at java.io.OutputStream.write(OutputStream.java:65)
> > > at
> > >
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-
V1.2-120
> > 198])
> > >
> > > at
> > >
>
Sent via Deja.com http://www.deja.com/
Before you buy.
Andrew
probably for bad press related reasons. They informed me that this was a
Level 1 bug and that it was being worked on as their highest priority. They
were unable to give a time estimate as to when a fix would be available.
Andrew Westberg