3

I'm trying to configure a jetty-distribution-9.3.1.v20150714 backend running on Java 1.8.0_45-b14 with a certificate signed by a self-signed CA certificate, for SSL pinning.

Following Apple's guide, I created a self signed CA certificate, then created a certificate based on that CA cert.

Result is a ServerCertificate.p12 with server's certificate and a private key and a root.cer file, which will be used for pinning.

$ keytool -list -keystore keystore.p12 -storetype pkcs12 
server, Jul 27, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): AA:BB:CC.........11:22:33

I've worked before with certs signed by a trusted CAs, so the backend should have SSL configured correctly. The mobile app's pinning framework was tested with a different website self-signed, it works well.

But the app fails to connect with my backend with that keystore: Trust anchor for certification path not found.

I had the feeling the CA cert is missing from the keystore, so I've tried to add it with keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt (.crt is a base64 readable certificate file), but it didn't help.

# after adding root.crt

$ keytool -list -keystore keystore.p12 -storetype pkcs12 
server, Jul 27, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): AA:BB:CC.........11:22:33
root, Jul 27, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): FF:DD:EE.........33:22:11

$ openssl s_client -connect example.com:443
CONNECTED(00000003)
depth=1 CN = Product CA, C = AU
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=Product/C=AU
   i:/CN=Product CA/C=AU
 1 s:/CN=Product CA/C=AU
   i:/CN=Product CA/C=AU
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDADCCAei..................................
.............................................
..........BASE64.STUFF.......................
.............................................
................................eTVowuY+erkaf
+sIO4w==
-----END CERTIFICATE-----
subject=/CN=Product/C=AU
issuer=/CN=Product CA/C=AU
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2732 bytes and written 636 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 55B6.........................2B4
    Session-ID-ctx: 
    Master-Key: 1C.............................................................................30AF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1497776932
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

Interestingly, curl https://example.com --cacert server.cer works well... (it doesn't without the --cacert)

Any idea what's wrong with the configuration?

Kof
  • 143
  • 1
  • 4

0 Answers0