javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
Asked Answered
B

1

7

I have to connect to a server via SSL dual authentication. I have added my own private key plus certificate to a keystore.jks and the self signed certificate of the server to a truststore.jks, both files are copied to /usr/share/tomcat7. The socket factory used by my code is delivered by the following provider:

@Singleton
public static class SecureSSLSocketFactoryProvider implements Provider<SSLSocketFactory> {
    private SSLSocketFactory sslSocketFactory;

    public SecureSSLSocketFactoryProvider() throws RuntimeException {
        try {
            final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
            final InputStream trustStoreFile = new FileInputStream("/usr/share/tomcat7/truststore.jks");
            trustStore.load(trustStoreFile, "changeit".toCharArray());
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            final InputStream keyStoreFile = new FileInputStream("/usr/share/tomcat7/keystore.jks");
            keyStore.load(keyStoreFile, "changeit".toCharArray());
            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, "changeit".toCharArray());

            final SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

            this.sslSocketFactory = sslContext.getSocketFactory();

        } catch (final KeyStoreException e) {
            Log.error("Key store exception: {}", e.getMessage(), e);
        } catch (final CertificateException e) {
            Log.error("Certificate exception: {}", e.getMessage(), e);
        } catch (final UnrecoverableKeyException e) {
            Log.error("Unrecoverable key exception: {}", e.getMessage(), e);
        } catch (final NoSuchAlgorithmException e) {
            Log.error("No such algorithm exception: {}", e.getMessage(), e);
        } catch (final KeyManagementException e) {
            Log.error("Key management exception: {}", e.getMessage(), e);
        } catch (final IOException e) {
            Log.error("IO exception: {}", e.getMessage(), e);
        }
    }

    @Override
    public SSLSocketFactory get() {
        return sslSocketFactory;
    }
}

When I try to connect to an endpoint on the server I get the following exception though:

javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_45]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) ~[na:1.7.0_45]
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.7.0_45]
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.7.0_45]
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.7.0_45]

Any idea what I have missed here?

Birthmark answered 10/3, 2015 at 7:52 Comment(4)
Did you solve this ? How did you make the server trust you , even though it is self signed. ...?Carmacarmack
@Carmacarmack I am also wondering what the tangible solution was to this problem (xkcd.com/979).Constituent
I was able to solve it by adding useSSL=false to the connection stringNumbers
@Numbers should not be THE solution. That is a security flaw.Arrowood
C
23

If you get an alert unknown_ca back from the server, then the server did not like the certificate you've send as the client certificate, because it is not signed by a CA which is trusted by the server for client certificates.

Canada answered 10/3, 2015 at 9:58 Comment(3)
@Steffen Ullrich if the server it not liking this self signed certificate, how to make it a trusted CA ?Carmacarmack
This can also happen if the client certificate has expired and the server (correctly!) checks for validity of the client certificate.Dazzle
how can I print which CA is this (the one considered as unknown)?Monkeypot

© 2022 - 2024 — McMap. All rights reserved.