Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

"Extensions not allowed in v2 certificate"  RSS feed

 
S Ramakrishnan
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am opening an HTTPS URLConnection with self-signed certificates. I am using a loose trust manager in my SSL context that accepts whatever certificate the server returns. Yet, attempt to read off the input stream of the URLConnection yields the following exception:
java.io.IOException: Extensions not allowed in v2 certificate
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateMsg.<init>(DashoA6275)

Is there any way I can ask my Java SSL Client to ignore the extensions in the server certificate? If not, is there any other way to have my client code accept the certificate?
Thanks,
Rk
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is perfectly good behaviour: the certificates you use simply aren't valid. Corrupt. Wrong.
An X.509 certificate contains a version number field. There are three versions:
  • The original X.509 format from 1988;
  • The v2 format (1993) which added two fields to the original X.509 format;
  • The v3 format from 1996, which provides for extension fields indicating such things as certificate usage restrictions etc.

  • Your certificates apparently contain extensions conform v3 of the specification, but their version number field indicates they're v2. The only thing a decent certificate parser can do is reject them. The RFC is quite unequivocal about it:
    The solution, I think, is to look at the way you generate certificates. What software do you use?
    - Peter
     
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!