• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Java SSL client without installing certificate  RSS feed

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I had to create a Java SSL client. I did it by following the following tutorial:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/samples/sockets/client/SSLSocketClient.java

When I tried to run the program there was an exception saying that there was no certificate found (I cannot remember exactly the exception).
I solved this by installing the certificate into cacerts file and everything worked fine.
Note: This certificate is a self-signed and is not validated by any CA.

However, the clients to whom this software will be distributed should not have to do this.

How can I create a SSL/TLS Java client w/o installing untrusted certificate.

If some more clarification is needed do not hesitate do ask.

Thanks in advance!
 
Saloon Keeper
Posts: 9707
192
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to CodeRanch!

Your server needs to have a valid SSL certificate installed that is issued by a CA that the client trusts.

There's no way around this.
 
Bartender
Posts: 20310
110
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you have a self-signed certificate, any properly secure client is going to inform you before you attempt to connect to that server via SSL. It would be a major security vulnerability not to.

Many clients do have the ability to add a confirmation to accept the cert and proceed, which is done via a pop-up dialog and/or a command-line switch. The point being is that the end user should be aware of, and consciously agree to talk to a server whose authenticity and trustworthiness cannot be independently proven.

If that is not suitable, get a signed cert. You can get them free from letsencrypt, although those have to be renewed every 90 days - an expired cert also causes the client to question the user. There are additionally some fairly inexpensive cert authorities for longer-term certs and if you want extra bells and whistles, the big name certifiers add additional trustworthiness features that clients will often display as medallions next to the navigation control to assure users of the server's bona fides.
 
Djordje Cvetkovic
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi again...

I Just wanted to share with you my findings. Maybe someone will find this useful.

At the moment of writing this, I can say with 99% certainty that what I wanted in the first place IS possible. I implemented it and in localhost (both server and the client) everything works. The 1% left is because I still need to test my solution with Wireshark to see that the communication is actually SSL/TLS encrypted.
I will update once these tests are done.

First of all, big thanks to this article. It helped me achieve what I wanted, even though it is HTTPS related. My client is a TCP client implementing custom protocol.

All imports are from javax.net.ssl package.

Anyway... here is the client code:

Somewhere in the client initialization class:

MyHandshakeCompletedListener:

If you have any questions feel free to ask
 
Tim Holloway
Bartender
Posts: 20310
110
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Eek.

If I read that properly, your solution to the cert not being trusted was to trust everything.

So I could inject a DNS highjack into the path of clients, cause it to poll my trojan server with my trojan cert and proceed to pOwn them.

It isn't just a case of not having a cert authorization chain for your self-signed cert that makes it untrusted. A self-signed cert is, by definition, untrusted.

You can probably get just as good effect without the special code with an option on your SSL client class.

All in all, you're better off just getting a properly-signed cert. Unless you really enjoy showing up on the Internet's Exploit of the Week roster.
 
All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!