Message-Id: <199909012046.NAA19443@shorter.eng.sun.com>
Date: Wed, 1 Sep 1999 13:45:08 -0700 (PDT)
From: Jeff Nisewanger <Jeff.Nisewanger@eng.sun.com>
Subject: Re: JSSE Question
To: java-security@Sun.COM, CRAIG.A.KING@saic.com
> Trying to get the client program to use HTTPS has been difficult.
>
> The client reports a "javax.net.ssl.SSLException: untrusted server cert
> chain" error which I cannot seem to fix.
>
> I have set up a java.policy file for the client that includes the path to
> the keystore file, and the appropriate permissions required by the security
> manager.
> Note: without the correct permission (basically all) the following error is
> reported:
> java.lang.NoClassDefFoundError
> com.sun.net.ssl.internal.www.https.HttpsClient
The NoClassDefFoundError is because the EA1 release https
handler support is dependent on Sun JVM internal classes under the
sun.* Java package hierarchy and access to these classes requires a
security permission if you are running with a security manager. The
dependency will be removed before the final 1.0 release.
>
> Anyway, to make a short question long... What do I need to do on the client,
> when using https, to get it to talk with my server? I can do it with
> straight sockets (loading the keystore file in the code), but cannot do it
> using a URL created with https.
The https handler finds it's default list of trusted
CA certificates from the jre/lib/security/cacerts file. You can view
or edit this using the keytool utility command from Java 2. Since
you are getting the "untrusted" exception this implies that your server
certificate was not a standard certificate issued by one of the
well-known CA root certificates listed in the cacerts file (VeriSign).
Configuration of the https handler should be a little more
flexible in the next EA release. In the meantime, you may be able to
use keytool to add additional trusted certificates to your cacerts
file.
Jeff