This is the mail archive of the
java@gcc.gnu.org
mailing list for the Java project.
Re: JESSIE - SSL BAD_CERTIFICATE Exception
- From: "Casey Marshall" <casey dot s dot marshall at gmail dot com>
- To: "Jary Grove" <jarygrove at yahoo dot com>
- Cc: java at gcc dot gnu dot org
- Date: Mon, 20 Oct 2008 13:02:20 -0700
- Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
- References: <611102.96310.qm@web110006.mail.gq1.yahoo.com>
On Sat, Oct 18, 2008 at 2:17 PM, Jary Grove <jarygrove@yahoo.com> wrote:
> I am getting the BAD CERTIFICATE exception with jessie, any idea? I am using the latest build.
>
> Following is the exception log:
>
>
> SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> 432] WRITE_CLIENT_HELLO null
> SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> SSL HANDSHAKE {0} struct {
> version: TLSv1.1;
> random:
> struct {
> gmt_unix_time: 1224363825;
> random_bytes: 9a:15:99:6d:25:e3:04:7c:ff:3a:12:e1:ff:19:b1:f6:61:07:a3:2e:57:cc:aa:db:dd:47:82:
> f5;
> } Random; sessionId: ;
> cipher_suites:
> [30] {
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DH_DSS_WITH_AES_256_CBC_SHA,
> TLS_DH_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DH_DSS_WITH_AES_128_CBC_SHA,
> TLS_DH_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_RC4_128_MD5,
> TLS_RSA_WITH_RC4_128_SHA,
> TLS_DHE_DSS_WITH_DES_CBC_SHA,
> TLS_DHE_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_WITH_DES_CBC_SHA,
> TLS_DH_RSA_WITH_DES_CBC_SHA,
> TLS_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_RC4_40_MD5,
> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_WITH_NULL_MD5,
> TLS_RSA_WITH_NULL_SHA
> };
> compression_methods:
> [1] {
> NULL
> };
> extensions: ExtensionList {
> length = 2;
> };
> } ClientHello;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_SERVER_HELLO struct {
> type: SERVER_HELLO;
> struct {
> version: TLSv1;
> random:
> struct {
> gmt_unix_time: 1224363827;
> random_bytes: 9a:a2:ee:0f:d6:e5:22:22:8d:66:f0:f6:57:c1:a6:60:7e:a1:01:25:df:7e:05:2e:08:1c:c
> 6:de;
> } Random;
> sessionId: e1:07:00:00:36:0f:05:21:64:d7:f4:e2:7c:7d:6d:b4:6c:50:7a:9d:26:99:03:e0:bc:23
> :f9:db:df:09:61:8a;
> cipherSuite: TLS_RSA_WITH_RC4_128_MD5;
> compressionMethod: NULL;
> extensions:
> (nil)
> } ServerHello;
> } Handshake;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_CERTIFICATE struct {
> type: CERTIFICATE;
> struct {
> java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
> } Certificate;
> } Handshake;
This part looks relevant. It's possible that the X.509 parser in
classpath/gcj isn't able to properly parse your certificate. In this
case, it's failing to parse the GeneralName extension.
I don't remember the details of ASN.1, DER, and this certificate
extension, but it's possible this extension blob in your certificate
isn't correct.
One thing that may help this is to change the certificate parser to
just ignore extensions that it can't parse, leaving them as blobs of
bytes, unless someone wants to use that extension. X.509 and interop
is a bag of pain; adding hacks and special cases to handle
not-quite-correct certificates is something everyone ends up doing.
Anyway, I'll call this a bug in our certificate parser.
Thanks.
> gnu.javax.net.ssl.provider.AlertException: BAD_CERTIFICATE: locally generated; FATAL
> SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> 432] WRITE_CLIENT_HELLO null
> SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> SSL HANDSHAKE {0} struct {
> version: TLSv1.1;
> random:
> struct {
> gmt_unix_time: 1224363826;
> random_bytes: 84:d5:62:3a:00:a9:d5:c9:3c:fe:13:05:6d:04:10:9e:0e:5b:ae:b7:72:37:b4:ef:f8:56:7d:
> 79;
> } Random; sessionId: ;
> cipher_suites:
> [30] {
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DH_DSS_WITH_AES_256_CBC_SHA,
> TLS_DH_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DH_DSS_WITH_AES_128_CBC_SHA,
> TLS_DH_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_RC4_128_MD5,
> TLS_RSA_WITH_RC4_128_SHA,
> TLS_DHE_DSS_WITH_DES_CBC_SHA,
> TLS_DHE_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_WITH_DES_CBC_SHA,
> TLS_DH_RSA_WITH_DES_CBC_SHA,
> TLS_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_RC4_40_MD5,
> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_WITH_NULL_MD5,
> TLS_RSA_WITH_NULL_SHA
> };
> compression_methods:
> [1] {
> NULL
> };
> extensions: ExtensionList {
> length = 2;
> };
> } ClientHello;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_SERVER_HELLO struct {
> type: SERVER_HELLO;
> struct {
> version: TLSv1;
> random:
> struct {
> gmt_unix_time: 1224363827;
> random_bytes: 36:f4:51:d4:92:23:79:ac:41:86:d2:ec:29:c8:3b:e8:58:78:72:4e:42:48:0b:27:97:df:5
> 9:b0;
> } Random;
> sessionId: d8:03:00:00:cf:90:b3:93:8c:9d:e6:ca:b1:7a:f1:cf:6f:4f:1f:20:ab:86:c8:d9:ff:61
> :c4:a4:2d:68:b4:0d;
> cipherSuite: TLS_RSA_WITH_RC4_128_MD5;
> compressionMethod: NULL;
> extensions:
> (nil)
> } ServerHello;
> } Handshake;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_CERTIFICATE struct {
> type: CERTIFICATE;
> struct {
> java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
> } Certificate;
> } Handshake;
>
>
>
> Thanks
> Jary
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>