Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Hostname Verifier

0 views
Skip to first unread message

psmelkov

unread,
Feb 2, 2005, 8:53:08 PM2/2/05
to
The property in the server configuration applies only to the SSL clients running on server. The command line property for the stand alone clients using WebLogic APIs should be:
-Dweblogic.security.SSL.hostnameVerifier=myHostNameVerifier

Pavel.

Shivakumar B

unread,
Feb 3, 2005, 12:57:21 AM2/3/05
to
Thanks Pavel, I have cilent using t3s protocol using 2 way SSL communication.
The client uses the demokey and democert provided by weblogic 7.0.

when running my java client(JMS publisher)to connect weblogic server i'm giving the commnad line option Dweblogic.security.SSL.hostnameVerifier=myHostNameVerifier
but i'm getting the following error.

<NEW ALERT: com.certicom.tls.record.alert.Alert@b1074a Severity: 2 Type: 42
java.lang.Exception: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:216)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
at java.io.DataOutputStream.flush(DataOutputStream.java:101)
at weblogic.rjvm.t3.T3JVMConnection.connect(T3JVMConnection.java:262)
at weblogic.rjvm.t3.T3SJVMConnection.createConnection(T3SJVMConnection.java:83)
at weblogic.rjvm.Protocol.createConnection(Protocol.java:231)
at weblogic.rjvm.ConnectionManager.findOrCreateConnection(ConnectionManager.java:1192)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:347)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:279)
at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:217)
at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:175)
at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:196)
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:162)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:262)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:323)
at weblogic.jndi.Environment.getContext(Environment.java:154)
at weblogic.jndi.Environment.getInitialContext(Environment.java:137)
at TopicSend.getInitialContext(TopicSend.java:217)
at TopicSend.main(TopicSend.java:126)
>


javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
at java.io.DataOutputStream.flush(DataOutputStream.java:101)
at weblogic.rjvm.t3.T3JVMConnection.connect(T3JVMConnection.java:262)
at weblogic.rjvm.t3.T3SJVMConnection.createConnection(T3SJVMConnection.java:83)
at weblogic.rjvm.Protocol.createConnection(Protocol.java:231)
at weblogic.rjvm.ConnectionManager.findOrCreateConnection(ConnectionManager.java:1192)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:347)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:279)
at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:217)
at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:175)
at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:196)
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:162)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:262)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:323)
at weblogic.jndi.Environment.getContext(Environment.java:154)
at weblogic.jndi.Environment.getInitialContext(Environment.java:137)
at TopicSend.getInitialContext(TopicSend.java:217)
at TopicSend.main(TopicSend.java:126)


Any inputs to this????

Thanks
shiv

psmelkov

unread,
Feb 3, 2005, 9:44:03 AM2/3/05
to
In 7.0 hostname verification is performed before the trust validation. Do you see the debug messages from your hostname verifier in the client output? Does your hostname verifier hostnameValidationCallback() method return true?
Make sure you configured the server and the client to trust each other's identity certs. Try disabling hostname verification with
-Dweblogic.security.SSL.ignoreHostnameVerify=true
and see if your connection works without it.
Run with ssl debug on: -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
The log messages before the failure might provide more information.

Pavel.

Shivakumar B

unread,
Feb 4, 2005, 12:44:03 AM2/4/05
to
Yes. the implementation of verify() method in myHostnameVerifier returns true.

The java client work perfectly with -Dweblogic.security.SSL.ignoreHostnameVerify=true.

It is failing when performing hostname validation.

I tried with the following command too.
java -cp C:\bea\weblogic700\server\lib\weblogic.jar -Dweblogic.security.SSL.HostnameVerifier=myHostNameVerifier -Dweblogic.security.SSL.trustedCAKeyStore=C:\bea\weblogic700\server\lib\cacerts -Dweblogic.security.TrustKey
Store=DemoTrust -Dssl.debug=true -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=
true weblogic.Admin -url t3s://nt20884:7002 -username system -password weblogic PING 5

But the error in the both the case ( Java Client and PING )are same

Here I'm attaching the Traces (Partial )

<Jan 4, 2004 10:35:04 AM GMT+05:30> <Debug> <TLS> <000000> <clientInfo has old style certificate and key>
<Jan 4, 2004 10:35:04 AM GMT+05:30> <Debug> <TLS> <000000> <client identity added>
<Jan 4, 2004 10:35:04 AM GMT+05:30> <Debug> <TLS> <000000> <Adding legacy expected name>
<Jan 4, 2004 10:35:04 AM GMT+05:30> <Debug> <TLS> <000000> <clientInfo settings applied>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 902782>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLIOContextTable INITIALIZED>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(is): 6460907>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <write SSL_20_RECORD>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <2550265 readRecord()>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <2550265 received HANDSHAKE>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <2550265 readRecord()>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <2550265 received HANDSHAKE>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <performing hostname validation checks: nt20884.xxxxxxx.com>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <Server Certificate SubjectDN CommonName received (weblogic.bea.com) does not match Server hostname (nt20884.xxxxxxx.com)>
<Jan 4, 2004 10:35:05 AM GMT+05:30> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@49b290 Severity: 2 Type: 42

Thanks
Shiv

psmelkov

unread,
Feb 4, 2005, 3:42:31 PM2/4/05
to
The property for setting hostname verifier should be exactly: weblogic.security.SSL.hostnameVerifier
You have it with the capital h in "hostnameVerifier".
Also make sure your class has a public constructor with no parameters, and is in the classpath - in the command below you only include weblogic.jar.

Pavel.

0 new messages