From: "Casey Marshall" <casey.s.marshall@gmail.com>
To: "Jary Grove" <jarygrove@yahoo.com>
Cc: java@gcc.gnu.org
Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
Date: Mon, 20 Oct 2008 20:03:00 -0000 [thread overview]
Message-ID: <20024fdf0810201302g6ee34330q4a7ad6f476ab2ac0@mail.gmail.com> (raw)
In-Reply-To: <611102.96310.qm@web110006.mail.gq1.yahoo.com>
On Sat, Oct 18, 2008 at 2:17 PM, Jary Grove <jarygrove@yahoo.com> wrote:
> I am getting the BAD CERTIFICATE exception with jessie, any idea? I am using the latest build.
>
> Following is the exception log:
>
>
> SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> 432] WRITE_CLIENT_HELLO null
> SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> SSL HANDSHAKE {0} struct {
> version: TLSv1.1;
> random:
> struct {
> gmt_unix_time: 1224363825;
> random_bytes: 9a:15:99:6d:25:e3:04:7c:ff:3a:12:e1:ff:19:b1:f6:61:07:a3:2e:57:cc:aa:db:dd:47:82:
> f5;
> } Random; sessionId: ;
> cipher_suites:
> [30] {
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DH_DSS_WITH_AES_256_CBC_SHA,
> TLS_DH_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DH_DSS_WITH_AES_128_CBC_SHA,
> TLS_DH_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_RC4_128_MD5,
> TLS_RSA_WITH_RC4_128_SHA,
> TLS_DHE_DSS_WITH_DES_CBC_SHA,
> TLS_DHE_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_WITH_DES_CBC_SHA,
> TLS_DH_RSA_WITH_DES_CBC_SHA,
> TLS_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_RC4_40_MD5,
> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_WITH_NULL_MD5,
> TLS_RSA_WITH_NULL_SHA
> };
> compression_methods:
> [1] {
> NULL
> };
> extensions: ExtensionList {
> length = 2;
> };
> } ClientHello;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_SERVER_HELLO struct {
> type: SERVER_HELLO;
> struct {
> version: TLSv1;
> random:
> struct {
> gmt_unix_time: 1224363827;
> random_bytes: 9a:a2:ee:0f:d6:e5:22:22:8d:66:f0:f6:57:c1:a6:60:7e:a1:01:25:df:7e:05:2e:08:1c:c
> 6:de;
> } Random;
> sessionId: e1:07:00:00:36:0f:05:21:64:d7:f4:e2:7c:7d:6d:b4:6c:50:7a:9d:26:99:03:e0:bc:23
> :f9:db:df:09:61:8a;
> cipherSuite: TLS_RSA_WITH_RC4_128_MD5;
> compressionMethod: NULL;
> extensions:
> (nil)
> } ServerHello;
> } Handshake;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_CERTIFICATE struct {
> type: CERTIFICATE;
> struct {
> java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
> } Certificate;
> } Handshake;
This part looks relevant. It's possible that the X.509 parser in
classpath/gcj isn't able to properly parse your certificate. In this
case, it's failing to parse the GeneralName extension.
I don't remember the details of ASN.1, DER, and this certificate
extension, but it's possible this extension blob in your certificate
isn't correct.
One thing that may help this is to change the certificate parser to
just ignore extensions that it can't parse, leaving them as blobs of
bytes, unless someone wants to use that extension. X.509 and interop
is a bag of pain; adding hacks and special cases to handle
not-quite-correct certificates is something everyone ends up doing.
Anyway, I'll call this a bug in our certificate parser.
Thanks.
> gnu.javax.net.ssl.provider.AlertException: BAD_CERTIFICATE: locally generated; FATAL
> SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> 432] WRITE_CLIENT_HELLO null
> SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> SSL HANDSHAKE {0} struct {
> version: TLSv1.1;
> random:
> struct {
> gmt_unix_time: 1224363826;
> random_bytes: 84:d5:62:3a:00:a9:d5:c9:3c:fe:13:05:6d:04:10:9e:0e:5b:ae:b7:72:37:b4:ef:f8:56:7d:
> 79;
> } Random; sessionId: ;
> cipher_suites:
> [30] {
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DH_DSS_WITH_AES_256_CBC_SHA,
> TLS_DH_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DH_DSS_WITH_AES_128_CBC_SHA,
> TLS_DH_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_RSA_WITH_RC4_128_MD5,
> TLS_RSA_WITH_RC4_128_SHA,
> TLS_DHE_DSS_WITH_DES_CBC_SHA,
> TLS_DHE_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_WITH_DES_CBC_SHA,
> TLS_DH_RSA_WITH_DES_CBC_SHA,
> TLS_RSA_WITH_DES_CBC_SHA,
> TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_EXPORT_WITH_RC4_40_MD5,
> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> TLS_RSA_WITH_NULL_MD5,
> TLS_RSA_WITH_NULL_SHA
> };
> compression_methods:
> [1] {
> NULL
> };
> extensions: ExtensionList {
> length = 2;
> };
> } ClientHello;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_SERVER_HELLO struct {
> type: SERVER_HELLO;
> struct {
> version: TLSv1;
> random:
> struct {
> gmt_unix_time: 1224363827;
> random_bytes: 36:f4:51:d4:92:23:79:ac:41:86:d2:ec:29:c8:3b:e8:58:78:72:4e:42:48:0b:27:97:df:5
> 9:b0;
> } Random;
> sessionId: d8:03:00:00:cf:90:b3:93:8c:9d:e6:ca:b1:7a:f1:cf:6f:4f:1f:20:ab:86:c8:d9:ff:61
> :c4:a4:2d:68:b4:0d;
> cipherSuite: TLS_RSA_WITH_RC4_128_MD5;
> compressionMethod: NULL;
> extensions:
> (nil)
> } ServerHello;
> } Handshake;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_CERTIFICATE struct {
> type: CERTIFICATE;
> struct {
> java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
> } Certificate;
> } Handshake;
>
>
>
> Thanks
> Jary
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
next prev parent reply other threads:[~2008-10-20 20:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-18 21:17 Jary Grove
2008-10-20 20:03 ` Casey Marshall [this message]
2008-10-20 22:09 Jary Grove
2008-10-20 22:44 ` Casey Marshall
2008-10-21 14:17 Jary Grove
2008-10-21 17:14 ` Casey Marshall
2008-12-08 15:46 ` Jary Grove
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20024fdf0810201302g6ee34330q4a7ad6f476ab2ac0@mail.gmail.com \
--to=casey.s.marshall@gmail.com \
--cc=jarygrove@yahoo.com \
--cc=java@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).