Error #6: Keystore is loaded but it's not bearing appropriate rights

Subject: Error #6: Keystore is loaded but it's not bearing appropriate rights
Author: authen
In response to: Error #5: Keystore is loaded but it's not bearing the hostname
Posted on: 02/28/2008 01:22:17 PM

If your server's certificate does not have the right to run service. It's up to your client applications to trust it or not.

For clients using Sun JDK SSL library, for example, the certificate is going to be rejected and the following exception is, on client side, expected:


javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage 
			does not permit use for TLS server authentication
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1522)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:180)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:861)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:111)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:509)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:447)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:822)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1034)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1061)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
	at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:252)
	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:117)
	at sun.security.validator.Validator.validate(Validator.java:221)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:199)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:239)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)

On server side, you will see something like this:


javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
	at java.io.BufferedInputStream.fill(Unknown Source)
	at java.io.BufferedInputStream.read(Unknown Source)

>
> On 02/26/2008 06:52:23 PM authen wrote:

If your server's certificate is bearing a subject, say 'CN=ServerB,DC=myCompany,DC=com', that is different from the hostname of the machine, say 'ServerA', on which your server is running, you might have troubles in convincing your clients that the server is a genuine one. It's up to your clients to trust it or not.

For clients using Sun JDK SSL library, for example, the hostname unmatched certificate is acceptable.

For clients using JDNI StartTLS library, for example, the hostname unmatched certificate is NOT acceptable and the following exception is, on client side, thrown:

javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'ServerA' does not match the hostname in the server's certificate. at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161) at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210) at sun.security.util.HostnameChecker.match(HostnameChecker.java:77) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416) ... 3 more

References:

Next Post: SSL/TLS Error Database -- To Trust/Validate An Incoming Connection authen 02/28/2008 06:32:10 PM
Previous Post: Error #5: Keystore is loaded but it's not bearing the hostname authen 02/26/2008 06:52:23 PM
Next Topic: SSL/TLS Error Database -- To Trust/Validate An Incoming Connection authen 02/28/2008 06:32:10 PM
Previous Topic: Syntax error, parameterized types are only available if source level is 5.0 EricJ 11/29/2007 01:40:51 PM
Index: by Date
Index: by Topic