Re: JESSIE - SSL BAD_CERTIFICATE Exception

Re: JESSIE - SSL BAD_CERTIFICATE Exception

[Jary Grove]

Sorry, I was not very clear in my request. 

I have extracted out the Jessie code from the classpath and compiling it as a seperate project. 
If you tell me which class to modify to ignore this error, it will be very helpfull (atleast it will keep me going until this bug is permanently fixed).

Thanks

 


----- Original Message ----
> From: Casey Marshall <casey.s.marshall@gmail.com>
> To: Jary Grove <jarygrove@yahoo.com>
> Cc: java@gcc.gnu.org
> Sent: Monday, October 20, 2008 5:44:03 PM
> Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
> 
> On Mon, Oct 20, 2008 at 3:08 PM, Jary Grove wrote:
> > Any quick fix?
> > I am compiling Jessie from the source and will be able to plug in the changes 
> easily, if you can give me some pointers on how to ignore this error.
> >
> 
> This is actually a problem in the certificate parser, which are a part
> of classpath/libgcj itself. You can plug in a different implementation
> of this, via the standard security provider APIs.
> 
> Bouncycastle likely has an implementation which isn't as buggy as the
> classpath one.

Re: JESSIE - SSL BAD_CERTIFICATE Exception

[Casey Marshall]

On Oct 21, 2008, at 7:16 AM, Jary Grove wrote:

> Sorry, I was not very clear in my request.
>
> I have extracted out the Jessie code from the classpath and  
> compiling it as a seperate project.
> If you tell me which class to modify to ignore this error, it will  
> be very helpfull (atleast it will keep me going until this bug is  
> permanently fixed).
>

No, I understood that. I'm saying that the bug likely isn't even in  
the Jessie code, but in the generic certificate support, in the  
gnu.java.security.x509 package. My guess is that the parser is  
throwing an exception, and Jessie can't setup a connection if there is  
no certificate.

If you've extracted that code, too, then you have a chance of fixing  
or working around this issue. If it is a bug, it's in the class  
gnu.java.security.x509.ext.GeneralName.

But, I was also saying that you can plug-in a different certificate  
parser, and Jessie will use that one.

If you can send me the certificate it's choking on, I might be able to  
figure out more precisely what the issue is.

Thanks.

> Thanks
>
>
>
>
> ----- Original Message ----
>> From: Casey Marshall <casey.s.marshall@gmail.com>
>> To: Jary Grove <jarygrove@yahoo.com>
>> Cc: java@gcc.gnu.org
>> Sent: Monday, October 20, 2008 5:44:03 PM
>> Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
>>
>> On Mon, Oct 20, 2008 at 3:08 PM, Jary Grove wrote:
>>> Any quick fix?
>>> I am compiling Jessie from the source and will be able to plug in  
>>> the changes
>> easily, if you can give me some pointers on how to ignore this error.
>>>
>>
>> This is actually a problem in the certificate parser, which are a  
>> part
>> of classpath/libgcj itself. You can plug in a different  
>> implementation
>> of this, via the standard security provider APIs.
>>
>> Bouncycastle likely has an implementation which isn't as buggy as the
>> classpath one.
>
>
>
>
>

Re: JESSIE - SSL BAD_CERTIFICATE Exception

[Jary Grove]

Problem seems to be with the Active Directory Test Certificate that comes with Windows 2003. 
I purchased a domain certificate and no problem with it. 

I will try to plugin the bounty castle and test with it. 

Thanks




__________________________________________________
Do You Yahoo!? Tired of spam?  Yahoo! Mail has the best spam protection around 
Active Directory Browser http://www.ldapsoft.com/activedirectoryadmintool.html







----- Original Message ----
> From: Casey Marshall <casey.s.marshall@gmail.com>
> To: Jary Grove <jarygrove@yahoo.com>
> Cc: java@gcc.gnu.org
> Sent: Tuesday, October 21, 2008 12:13:27 PM
> Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
> 
> On Oct 21, 2008, at 7:16 AM, Jary Grove wrote:
> 
> > Sorry, I was not very clear in my request.
> > 
> > I have extracted out the Jessie code from the classpath and compiling it as a 
> seperate project.
> > If you tell me which class to modify to ignore this error, it will be very 
> helpfull (atleast it will keep me going until this bug is permanently fixed).
> > 
> 
> No, I understood that. I'm saying that the bug likely isn't even in the Jessie 
> code, but in the generic certificate support, in the gnu.java.security.x509 
> package. My guess is that the parser is throwing an exception, and Jessie can't 
> setup a connection if there is no certificate.
> 
> If you've extracted that code, too, then you have a chance of fixing or working 
> around this issue. If it is a bug, it's in the class 
> gnu.java.security.x509.ext.GeneralName.
> 
> But, I was also saying that you can plug-in a different certificate parser, and 
> Jessie will use that one.
> 
> If you can send me the certificate it's choking on, I might be able to figure 
> out more precisely what the issue is..
> 
> Thanks.
> 
> > Thanks
> > 
> > 
> > 
> > 
> > ----- Original Message ----
> >> From: Casey Marshall 
> >> To: Jary Grove 
> >> Cc: java@gcc.gnu.org
> >> Sent: Monday, October 20, 2008 5:44:03 PM
> >> Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
> >> 
> >> On Mon, Oct 20, 2008 at 3:08 PM, Jary Grove wrote:
> >>> Any quick fix?
> >>> I am compiling Jessie from the source and will be able to plug in the 
> changes
> >> easily, if you can give me some pointers on how to ignore this error.
> >>> 
> >> 
> >> This is actually a problem in the certificate parser, which are a part
> >> of classpath/libgcj itself. You can plug in a different implementation
> >> of this, via the standard security provider APIs.
> >> 
> >> Bouncycastle likely has an implementation which isn't as buggy as the
> >> classpath one.
> > 
> > 
> > 
> > 
> > 

Re: JESSIE - SSL BAD_CERTIFICATE Exception

[Casey Marshall]

On Mon, Oct 20, 2008 at 3:08 PM, Jary Grove <jarygrove@yahoo.com> wrote:
> Any quick fix?
> I am compiling Jessie from the source and will be able to plug in the changes easily, if you can give me some pointers on how to ignore this error.
>

This is actually a problem in the certificate parser, which are a part
of classpath/libgcj itself. You can plug in a different implementation
of this, via the standard security provider APIs.

Bouncycastle likely has an implementation which isn't as buggy as the
classpath one.

Re: JESSIE - SSL BAD_CERTIFICATE Exception

[Jary Grove]

Any quick fix? 
I am compiling Jessie from the source and will be able to plug in the changes easily, if you can give me some pointers on how to ignore this error. 

Thanks
Jary



----- Original Message ----
> From: Casey Marshall <casey.s.marshall@gmail.com>
> To: Jary Grove <jarygrove@yahoo.com>
> Cc: java@gcc.gnu.org
> Sent: Monday, October 20, 2008 3:02:20 PM
> Subject: Re: JESSIE - SSL BAD_CERTIFICATE Exception
> 
> On Sat, Oct 18, 2008 at 2:17 PM, Jary Grove wrote:
> > I am getting the BAD CERTIFICATE exception with jessie, any idea? I am using 
> the latest build.
> >
> > Following is the exception log:
> >
> >
> > SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} 
> java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> > 432] WRITE_CLIENT_HELLO null
> > SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> > SSL HANDSHAKE {0} struct {
> >  version: TLSv1.1;
> >  random:
> >  struct {
> >    gmt_unix_time: 1224363825;
> >    random_bytes:  
> 9a:15:99:6d:25:e3:04:7c:ff:3a:12:e1:ff:19:b1:f6:61:07:a3:2e:57:cc:aa:db:dd:47:82:
> > f5;
> >  } Random;  sessionId: ;
> >  cipher_suites:
> >  [30] {
> >    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> >    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> >    TLS_DH_DSS_WITH_AES_256_CBC_SHA,
> >    TLS_DH_RSA_WITH_AES_256_CBC_SHA,
> >    TLS_RSA_WITH_AES_256_CBC_SHA,
> >    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> >    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> >    TLS_DH_DSS_WITH_AES_128_CBC_SHA,
> >    TLS_DH_RSA_WITH_AES_128_CBC_SHA,
> >    TLS_RSA_WITH_AES_128_CBC_SHA,
> >    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> >    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> >    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
> >    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
> >    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> >    TLS_RSA_WITH_RC4_128_MD5,
> >    TLS_RSA_WITH_RC4_128_SHA,
> >    TLS_DHE_DSS_WITH_DES_CBC_SHA,
> >    TLS_DHE_RSA_WITH_DES_CBC_SHA,
> >    TLS_DH_DSS_WITH_DES_CBC_SHA,
> >    TLS_DH_RSA_WITH_DES_CBC_SHA,
> >    TLS_RSA_WITH_DES_CBC_SHA,
> >    TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
> >    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_RSA_WITH_NULL_MD5,
> >    TLS_RSA_WITH_NULL_SHA
> >  };
> >  compression_methods:
> >  [1] {
> >    NULL
> >  };
> >  extensions:    ExtensionList {
> >      length = 2;
> >    };
> > } ClientHello;
> > SSL HANDSHAKE processing in state {0}:
> > {1} READ_SERVER_HELLO struct {
> >  type: SERVER_HELLO;
> >  struct {
> >    version: TLSv1;
> >    random:
> >    struct {
> >      gmt_unix_time: 1224363827;
> >      random_bytes:  
> 9a:a2:ee:0f:d6:e5:22:22:8d:66:f0:f6:57:c1:a6:60:7e:a1:01:25:df:7e:05:2e:08:1c:c
> > 6:de;
> >    } Random;
> >    sessionId:        
> e1:07:00:00:36:0f:05:21:64:d7:f4:e2:7c:7d:6d:b4:6c:50:7a:9d:26:99:03:e0:bc:23
> > :f9:db:df:09:61:8a;
> >    cipherSuite:      TLS_RSA_WITH_RC4_128_MD5;
> >    compressionMethod: NULL;
> >    extensions:
> >      (nil)
> >  } ServerHello;
> > } Handshake;
> > SSL HANDSHAKE processing in state {0}:
> > {1} READ_CERTIFICATE struct {
> >  type: CERTIFICATE;
> >  struct {
> >    java.security.cert.CertificateException: malformed GeneralName: Tag class 
> is 0;
> > } Certificate;
> > } Handshake;
> 
> This part looks relevant. It's possible that the X.509 parser in
> classpath/gcj isn't able to properly parse your certificate. In this
> case, it's failing to parse the GeneralName extension.
> 
> I don't remember the details of ASN.1, DER, and this certificate
> extension, but it's possible this extension blob in your certificate
> isn't correct.
> 
> One thing that may help this is to change the certificate parser to
> just ignore extensions that it can't parse, leaving them as blobs of
> bytes, unless someone wants to use that extension. X.509 and interop
> is a bag of pain; adding hacks and special cases to handle
> not-quite-correct certificates is something everyone ends up doing.
> 
> Anyway, I'll call this a bug in our certificate parser.
> 
> Thanks.
> 
> > gnu.javax.net.ssl.provider.AlertException: BAD_CERTIFICATE: locally generated; 
> FATAL
> > SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} 
> java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> > 432] WRITE_CLIENT_HELLO null
> > SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> > SSL HANDSHAKE {0} struct {
> >  version: TLSv1.1;
> >  random:
> >  struct {
> >    gmt_unix_time: 1224363826;
> >    random_bytes:  
> 84:d5:62:3a:00:a9:d5:c9:3c:fe:13:05:6d:04:10:9e:0e:5b:ae:b7:72:37:b4:ef:f8:56:7d:
> > 79;
> >  } Random;  sessionId: ;
> >  cipher_suites:
> >  [30] {
> >    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> >    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> >    TLS_DH_DSS_WITH_AES_256_CBC_SHA,
> >    TLS_DH_RSA_WITH_AES_256_CBC_SHA,
> >    TLS_RSA_WITH_AES_256_CBC_SHA,
> >    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> >    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> >    TLS_DH_DSS_WITH_AES_128_CBC_SHA,
> >    TLS_DH_RSA_WITH_AES_128_CBC_SHA,
> >    TLS_RSA_WITH_AES_128_CBC_SHA,
> >    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> >    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> >    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
> >    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
> >    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> >    TLS_RSA_WITH_RC4_128_MD5,
> >    TLS_RSA_WITH_RC4_128_SHA,
> >    TLS_DHE_DSS_WITH_DES_CBC_SHA,
> >    TLS_DHE_RSA_WITH_DES_CBC_SHA,
> >    TLS_DH_DSS_WITH_DES_CBC_SHA,
> >    TLS_DH_RSA_WITH_DES_CBC_SHA,
> >    TLS_RSA_WITH_DES_CBC_SHA,
> >    TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
> >    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >    TLS_RSA_WITH_NULL_MD5,
> >    TLS_RSA_WITH_NULL_SHA
> >  };
> >  compression_methods:
> >  [1] {
> >    NULL
> >  };
> >  extensions:    ExtensionList {
> >      length = 2;
> >    };
> > } ClientHello;
> > SSL HANDSHAKE processing in state {0}:
> > {1} READ_SERVER_HELLO struct {
> >  type: SERVER_HELLO;
> >  struct {
> >    version: TLSv1;
> >    random:
> >    struct {
> >      gmt_unix_time: 1224363827;
> >      random_bytes:  
> 36:f4:51:d4:92:23:79:ac:41:86:d2:ec:29:c8:3b:e8:58:78:72:4e:42:48:0b:27:97:df:5
> > 9:b0;
> >    } Random;
> >    sessionId:        
> d8:03:00:00:cf:90:b3:93:8c:9d:e6:ca:b1:7a:f1:cf:6f:4f:1f:20:ab:86:c8:d9:ff:61
> > :c4:a4:2d:68:b4:0d;
> >    cipherSuite:      TLS_RSA_WITH_RC4_128_MD5;
> >    compressionMethod: NULL;
> >    extensions:
> >      (nil)
> >  } ServerHello;
> > } Handshake;
> > SSL HANDSHAKE processing in state {0}:
> > {1} READ_CERTIFICATE struct {
> >  type: CERTIFICATE;
> >  struct {
> >    java.security.cert.CertificateException: malformed GeneralName: Tag class 
> is 0;
> > } Certificate;
> > } Handshake;
> >
> >
> >
> > Thanks
> > Jary
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo..com
> >
> >


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: JESSIE - SSL BAD_CERTIFICATE Exception

[Casey Marshall]

On Sat, Oct 18, 2008 at 2:17 PM, Jary Grove <jarygrove@yahoo.com> wrote:
> I am getting the BAD CERTIFICATE exception with jessie, any idea? I am using the latest build.
>
> Following is the exception log:
>
>
> SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> 432] WRITE_CLIENT_HELLO null
> SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> SSL HANDSHAKE {0} struct {
>   version: TLSv1.1;
>   random:
>   struct {
>     gmt_unix_time: 1224363825;
>     random_bytes:  9a:15:99:6d:25:e3:04:7c:ff:3a:12:e1:ff:19:b1:f6:61:07:a3:2e:57:cc:aa:db:dd:47:82:
> f5;
>   } Random;  sessionId: ;
>   cipher_suites:
>   [30] {
>     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
>     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>     TLS_DH_DSS_WITH_AES_256_CBC_SHA,
>     TLS_DH_RSA_WITH_AES_256_CBC_SHA,
>     TLS_RSA_WITH_AES_256_CBC_SHA,
>     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>     TLS_DH_DSS_WITH_AES_128_CBC_SHA,
>     TLS_DH_RSA_WITH_AES_128_CBC_SHA,
>     TLS_RSA_WITH_AES_128_CBC_SHA,
>     TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
>     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
>     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_RSA_WITH_RC4_128_MD5,
>     TLS_RSA_WITH_RC4_128_SHA,
>     TLS_DHE_DSS_WITH_DES_CBC_SHA,
>     TLS_DHE_RSA_WITH_DES_CBC_SHA,
>     TLS_DH_DSS_WITH_DES_CBC_SHA,
>     TLS_DH_RSA_WITH_DES_CBC_SHA,
>     TLS_RSA_WITH_DES_CBC_SHA,
>     TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_RSA_EXPORT_WITH_RC4_40_MD5,
>     TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_RSA_WITH_NULL_MD5,
>     TLS_RSA_WITH_NULL_SHA
>   };
>   compression_methods:
>   [1] {
>     NULL
>   };
>   extensions:     ExtensionList {
>       length = 2;
>     };
> } ClientHello;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_SERVER_HELLO struct {
>   type: SERVER_HELLO;
>   struct {
>     version: TLSv1;
>     random:
>     struct {
>       gmt_unix_time: 1224363827;
>       random_bytes:  9a:a2:ee:0f:d6:e5:22:22:8d:66:f0:f6:57:c1:a6:60:7e:a1:01:25:df:7e:05:2e:08:1c:c
> 6:de;
>     } Random;
>     sessionId:         e1:07:00:00:36:0f:05:21:64:d7:f4:e2:7c:7d:6d:b4:6c:50:7a:9d:26:99:03:e0:bc:23
> :f9:db:df:09:61:8a;
>     cipherSuite:       TLS_RSA_WITH_RC4_128_MD5;
>     compressionMethod: NULL;
>     extensions:
>       (nil)
>   } ServerHello;
> } Handshake;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_CERTIFICATE struct {
>   type: CERTIFICATE;
>   struct {
>     java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
> } Certificate;
> } Handshake;

This part looks relevant. It's possible that the X.509 parser in
classpath/gcj isn't able to properly parse your certificate. In this
case, it's failing to parse the GeneralName extension.

I don't remember the details of ASN.1, DER, and this certificate
extension, but it's possible this extension blob in your certificate
isn't correct.

One thing that may help this is to change the certificate parser to
just ignore extensions that it can't parse, leaving them as blobs of
bytes, unless someone wants to use that extension. X.509 and interop
is a bag of pain; adding hacks and special cases to handle
not-quite-correct certificates is something everyone ends up doing.

Anyway, I'll call this a bug in our certificate parser.

Thanks.

> gnu.javax.net.ssl.provider.AlertException: BAD_CERTIFICATE: locally generated; FATAL
> SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
> 432] WRITE_CLIENT_HELLO null
> SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
> SSL HANDSHAKE {0} struct {
>   version: TLSv1.1;
>   random:
>   struct {
>     gmt_unix_time: 1224363826;
>     random_bytes:  84:d5:62:3a:00:a9:d5:c9:3c:fe:13:05:6d:04:10:9e:0e:5b:ae:b7:72:37:b4:ef:f8:56:7d:
> 79;
>   } Random;  sessionId: ;
>   cipher_suites:
>   [30] {
>     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
>     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>     TLS_DH_DSS_WITH_AES_256_CBC_SHA,
>     TLS_DH_RSA_WITH_AES_256_CBC_SHA,
>     TLS_RSA_WITH_AES_256_CBC_SHA,
>     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>     TLS_DH_DSS_WITH_AES_128_CBC_SHA,
>     TLS_DH_RSA_WITH_AES_128_CBC_SHA,
>     TLS_RSA_WITH_AES_128_CBC_SHA,
>     TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
>     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
>     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_RSA_WITH_RC4_128_MD5,
>     TLS_RSA_WITH_RC4_128_SHA,
>     TLS_DHE_DSS_WITH_DES_CBC_SHA,
>     TLS_DHE_RSA_WITH_DES_CBC_SHA,
>     TLS_DH_DSS_WITH_DES_CBC_SHA,
>     TLS_DH_RSA_WITH_DES_CBC_SHA,
>     TLS_RSA_WITH_DES_CBC_SHA,
>     TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_RSA_EXPORT_WITH_RC4_40_MD5,
>     TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
>     TLS_RSA_WITH_NULL_MD5,
>     TLS_RSA_WITH_NULL_SHA
>   };
>   compression_methods:
>   [1] {
>     NULL
>   };
>   extensions:     ExtensionList {
>       length = 2;
>     };
> } ClientHello;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_SERVER_HELLO struct {
>   type: SERVER_HELLO;
>   struct {
>     version: TLSv1;
>     random:
>     struct {
>       gmt_unix_time: 1224363827;
>       random_bytes:  36:f4:51:d4:92:23:79:ac:41:86:d2:ec:29:c8:3b:e8:58:78:72:4e:42:48:0b:27:97:df:5
> 9:b0;
>     } Random;
>     sessionId:         d8:03:00:00:cf:90:b3:93:8c:9d:e6:ca:b1:7a:f1:cf:6f:4f:1f:20:ab:86:c8:d9:ff:61
> :c4:a4:2d:68:b4:0d;
>     cipherSuite:       TLS_RSA_WITH_RC4_128_MD5;
>     compressionMethod: NULL;
>     extensions:
>       (nil)
>   } ServerHello;
> } Handshake;
> SSL HANDSHAKE processing in state {0}:
> {1} READ_CERTIFICATE struct {
>   type: CERTIFICATE;
>   struct {
>     java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
> } Certificate;
> } Handshake;
>
>
>
> Thanks
> Jary
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>

JESSIE - SSL BAD_CERTIFICATE Exception

[Jary Grove]

I am getting the BAD CERTIFICATE exception with jessie, any idea? I am using the latest build. 

Following is the exception log:


SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
432] WRITE_CLIENT_HELLO null
SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
SSL HANDSHAKE {0} struct {
  version: TLSv1.1;
  random:
  struct {
    gmt_unix_time: 1224363825;
    random_bytes:  9a:15:99:6d:25:e3:04:7c:ff:3a:12:e1:ff:19:b1:f6:61:07:a3:2e:57:cc:aa:db:dd:47:82:
f5;
  } Random;  sessionId: ;
  cipher_suites:
  [30] {
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_DH_DSS_WITH_AES_256_CBC_SHA,
    TLS_DH_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DH_DSS_WITH_AES_128_CBC_SHA,
    TLS_DH_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_RSA_WITH_RC4_128_MD5,
    TLS_RSA_WITH_RC4_128_SHA,
    TLS_DHE_DSS_WITH_DES_CBC_SHA,
    TLS_DHE_RSA_WITH_DES_CBC_SHA,
    TLS_DH_DSS_WITH_DES_CBC_SHA,
    TLS_DH_RSA_WITH_DES_CBC_SHA,
    TLS_RSA_WITH_DES_CBC_SHA,
    TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
    TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    TLS_RSA_WITH_NULL_MD5,
    TLS_RSA_WITH_NULL_SHA
  };
  compression_methods:
  [1] {
    NULL
  };
  extensions:     ExtensionList {
      length = 2;
    };
} ClientHello;
SSL HANDSHAKE processing in state {0}:
{1} READ_SERVER_HELLO struct {
  type: SERVER_HELLO;
  struct {
    version: TLSv1;
    random:
    struct {
      gmt_unix_time: 1224363827;
      random_bytes:  9a:a2:ee:0f:d6:e5:22:22:8d:66:f0:f6:57:c1:a6:60:7e:a1:01:25:df:7e:05:2e:08:1c:c
6:de;
    } Random;
    sessionId:         e1:07:00:00:36:0f:05:21:64:d7:f4:e2:7c:7d:6d:b4:6c:50:7a:9d:26:99:03:e0:bc:23
:f9:db:df:09:61:8a;
    cipherSuite:       TLS_RSA_WITH_RC4_128_MD5;
    compressionMethod: NULL;
    extensions:
      (nil)
  } ServerHello;
} Handshake;
SSL HANDSHAKE processing in state {0}:
{1} READ_CERTIFICATE struct {
  type: CERTIFICATE;
  struct {
    java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
} Certificate;
} Handshake;
gnu.javax.net.ssl.provider.AlertException: BAD_CERTIFICATE: locally generated; FATAL
SSL HANDSHAKE output to {0}; state:{1}; outBuffer:{2} java.nio.ByteBufferImpl[pos=5 lim=18432 cap=18
432] WRITE_CLIENT_HELLO null
SSL HANDSHAKE loop state={0} WRITE_CLIENT_HELLO
SSL HANDSHAKE {0} struct {
  version: TLSv1.1;
  random:
  struct {
    gmt_unix_time: 1224363826;
    random_bytes:  84:d5:62:3a:00:a9:d5:c9:3c:fe:13:05:6d:04:10:9e:0e:5b:ae:b7:72:37:b4:ef:f8:56:7d:
79;
  } Random;  sessionId: ;
  cipher_suites:
  [30] {
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_DH_DSS_WITH_AES_256_CBC_SHA,
    TLS_DH_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DH_DSS_WITH_AES_128_CBC_SHA,
    TLS_DH_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_RSA_WITH_RC4_128_MD5,
    TLS_RSA_WITH_RC4_128_SHA,
    TLS_DHE_DSS_WITH_DES_CBC_SHA,
    TLS_DHE_RSA_WITH_DES_CBC_SHA,
    TLS_DH_DSS_WITH_DES_CBC_SHA,
    TLS_DH_RSA_WITH_DES_CBC_SHA,
    TLS_RSA_WITH_DES_CBC_SHA,
    TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
    TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    TLS_RSA_WITH_NULL_MD5,
    TLS_RSA_WITH_NULL_SHA
  };
  compression_methods:
  [1] {
    NULL
  };
  extensions:     ExtensionList {
      length = 2;
    };
} ClientHello;
SSL HANDSHAKE processing in state {0}:
{1} READ_SERVER_HELLO struct {
  type: SERVER_HELLO;
  struct {
    version: TLSv1;
    random:
    struct {
      gmt_unix_time: 1224363827;
      random_bytes:  36:f4:51:d4:92:23:79:ac:41:86:d2:ec:29:c8:3b:e8:58:78:72:4e:42:48:0b:27:97:df:5
9:b0;
    } Random;
    sessionId:         d8:03:00:00:cf:90:b3:93:8c:9d:e6:ca:b1:7a:f1:cf:6f:4f:1f:20:ab:86:c8:d9:ff:61
:c4:a4:2d:68:b4:0d;
    cipherSuite:       TLS_RSA_WITH_RC4_128_MD5;
    compressionMethod: NULL;
    extensions:
      (nil)
  } ServerHello;
} Handshake;
SSL HANDSHAKE processing in state {0}:
{1} READ_CERTIFICATE struct {
  type: CERTIFICATE;
  struct {
    java.security.cert.CertificateException: malformed GeneralName: Tag class is 0;
} Certificate;
} Handshake;



Thanks
Jary


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com