Since all the certs from websites are signed by Root CA's and such, and I am writing a client, not a server, how would I create an SSLEngine that can connect to them all? or do I have to download certs and such to connect? (I am hoping that jdk has all the same info as the browsers regarding certs and such so doing this should be easy although I am having trouble with my google skills in finding it since most links are servers).
EDIT: For more clarity, I have client code like so that works with a self-signed cert. Currently, I downloaded the cert from the website I wanted through chrome clicking on the lock. I then imported that into my keystore but it's still not working...
private SSLEngine createEngine() {
try {
InputStream in = this.getClass().getResourceAsStream("/prodKeyStore.jks");
//char[] passphrase = password.toCharArray();
// First initialize the key and trust material.
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(in, "lP9Ow1uYXZr9zgt6".toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
//****************Client side specific*********************
// TrustManager's decide whether to allow connections.
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
sslContext.init(null, tmf.getTrustManagers(), null);
//****************Client side specific*********************
SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(true);
return engine;
} catch(Exception e) {
throw new RuntimeException("Could not create SSLEngine", e);
}
}
Next, I am going to try to figure out how to turn debug on for ssl exchange and see if that helps any. Currently, I am at a loss as to why this is not working.
OUCH, debug logs point to this
javax.net.ssl|DEBUG|21|httpclient2|2020-02-18 08:13:05.095 MST|CertificateMessage.java:358|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "00 90 76 89 18 E9 33 93 A0",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=invalid2.invalid, OU="No SNI provided; please fix your client."",
"not before" : "2014-12-31 17:00:00.000 MST",
"not after" : "2029-12-31 17:00:00.000 MST",
"subject" : "CN=invalid2.invalid, OU="No SNI provided; please fix your client."",
"subject public key" : "RSA",
"extensions" : [
so something is screwing things up bigtime but not sure what yet. This is jdk8. Not sure how to fix this yet.
thanks, Dean
It turned out there is one line wrong and it has to be this
SSLEngine engine = sslContext.createSSLEngine(host, port);
and then it all works!