Create keystore for H2 SSL connection
457 views
Skip to first unread message
Jijo AC
Apr 29, 2016, 2:33:08 AM4/29/16
to H2 Database
We tried to connect to H2 server in SSL mode, But it failed with java 8
because of some valid certification missing. So we like to use our own
keystores, How we can create a keystore?
Thomas Mueller
Apr 29, 2016, 3:09:20 PM4/29/16
to h2-da...@googlegroups.com
Hi,
I think the problem is that Java 8 doesn't support self-signed certificates any longer (for security reasons I guess).
I'm not sure what the best solution is I'm afraid.
Regards,
Thomas
We tried to connect to H2 server in SSL mode, But it failed with java 8 because of some valid certification missing. So we like to use our own keystores, How we can create a keystore?
--
You received this message because you are subscribed to the Google Groups "H2 Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to h2-database...@googlegroups.com.
To post to this group, send email to h2-da...@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.
Thomas Mueller
Apr 29, 2016, 3:09:28 PM4/29/16
to h2-da...@googlegroups.com
Hi,
I think the problem is that Java 8 doesn't support self-signed certificates any longer (for security reasons I guess).
I'm not sure what the best solution is I'm afraid.
Regards,
Thomas
We tried to connect to H2 server in SSL mode, But it failed with java 8 because of some valid certification missing. So we like to use our own keystores, How we can create a keystore?
--
Tomas Pospichal
May 10, 2016, 3:00:40 PM5/10/16
to H2 Database
In case you want just the encryption (without server authentication), you do not need any certificates for your h2 server, at least in theory.
In practice, this was fixed only after the last version (1.4.191) was released, so you would need to use some more recent development version, for instance http://www.h2database.com/automated/h2-latest.jar to have ssl connections working right away.
For TLS with certificates, look at http://h2database.com/html/advanced.html#tls_connections
It is important to follow the advice given there and set the two system properties (related to your keystore) before starting the h2 server.
Beware that if your own certificate is not signed by an authority trusted by the clients, it will not be any better than the default h2 certificate.
Regards,
Tomas
In practice, this was fixed only after the last version (1.4.191) was released, so you would need to use some more recent development version, for instance http://www.h2database.com/automated/h2-latest.jar to have ssl connections working right away.
For TLS with certificates, look at http://h2database.com/html/advanced.html#tls_connections
It is important to follow the advice given there and set the two system properties (related to your keystore) before starting the h2 server.
Beware that if your own certificate is not signed by an authority trusted by the clients, it will not be any better than the default h2 certificate.
Regards,
Tomas
Kerry Sainsbury
May 18, 2016, 5:29:46 PM5/18/16
to h2-da...@googlegroups.com
Tomas Pospichal
May 19, 2016, 5:24:42 PM5/19/16
to H2 Database
You can try to see if Let's Encrypt certificates are accepted as trusted by the intended client machines. It is not possible to make any general claims, because the set of trusted certificates depends on the version of Java and sometimes also the operating system.
Because Let's Encrypt are a new certificate authority, I think you would have to be rather lucky to have it so easy. Modern browsers do accept those certificates as trusted, but that does not mean a Java client will do the same.
To check your system (a client machine which will be connecting to the server), you can first find a website which is using a recently issued certificate from letsencrypt: pick some host name from the list of issued certificates mentioned at https://letsencrypt.org/certificates/index.html#certificate-transparency and check in a browser (in some browsers clicking on the padlock icon next to the URL) that https:// connection to the host serves a certificate signed by letsencrypt (they will be the Issuer). The website at https://letsencrypt.org itself is not a good example, since it seems to be using a certificate which is signed differently from certificates you would be able to obtain.
Once you have a suitable host name, you can try connecting from Java, using that host name in url="https://...";
new URL(url).openConnection().connect();
Most likely, it will fail with javax.net.ssl.SSLHandshakeException, meaning that the certificate is not trusted (as far as Java is concerned).
And in that case, the only way to make it trusted is to manually add the letsencrypt certificate (or one of the certificates which signed it) to the set of trusted root certificates on you client machines (again, what to do exactly will depend on the system type).
In the end, you can indeed use letsencrypt certificates, but there might be a fairly nontrivial amount of setup work required, especially in case the client machines are many or are not under your direct control.
Regards,
Tomas
Reply all
Reply to author
Forward
0 new messages