## SSL sockets for HTTP

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### SSL sockets for HTTP

Greetings,

I'm running Oracle's Java 8 (it came pre-installed on my Pi/3) and I'm trying to run my own HTTP server on SSL sockets. The 'keytool' utility can create self signed certificates; this thing works on a PC, using the RSA and/or DSA algoritms.
Not so on my Pi/3: all I get is an error message on the browser, telling me that the server and client don't have a common certificate. This even happens when I generate my keystore on my PC and copy the file over to my PI/3.

Can some kind soul shed some light on this? Thanks in advance and

kind regards,

Jos

pd. I ran this command line in order to generate my keystore:

Code: Select all

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360


DougieLawson
Posts: 39900
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK

### Re: SSL sockets for HTTP

Which webserver are you running? Is it Apache2, Lighttpd, NGinx or something else?

Normally you'd create a self-signed server certificate with

openssl genrsa -des3 -out raspberrypi.key 2048
openssl rsa -in raspberrypi.key -out raspberrypi.key.insecure
mv raspberrypi.key raspberrypi.key.secure
mv raspberrypi.key.insecure raspberrypi.key
openssl req -new -key raspberrypi.key -out raspberrypi.csr
openssl x509 -req -days 365 -in raspberrypi.csr -signkey raspberrypi.key -out raspberrypi.crt
openssl x509 -in raspberrypi.crt -out raspberrypi.pem -outform PEM
sudo cp raspberrypi.pem /etc/ssl/certs
sudo cp raspberrypi.key /etc/ssl/private

Then add that key and that pem file to your webserver configuration.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

All fake doctors are on my foes list.

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### Re: SSL sockets for HTTP

Thanks for your reply, but as far as I understand Java SSLSockets, they run in a non-intrusive way, i.e. one has to define a keystore and one has to use the SSLServerSocketFactory class for a SSLServerSocket. Two System.Properties define the location of the keystore and its password. It works fine that way on my laptop but it fails miserably on my Pi/3; btw I'm running a home made HTTP server for my IoT stuff.

kind regards,

Jos
Last edited by JosAH on Sat Nov 12, 2016 4:49 pm, edited 1 time in total.

DougieLawson
Posts: 39900
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK

### Re: SSL sockets for HTTP

You have to deliver the keys to both Alice and Bob, the error message is telling you that Alice has a valid key pair, but Bob doesn't have a matching key/pair from the same certificate authority.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

All fake doctors are on my foes list.

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### Re: SSL sockets for HTTP

@DougieLawson: I think I understand what you're saying, but I don't understand why it works fine on my laptop, i.e. as I described in a previous reply of mine ...

kind regards,

Jos

DougieLawson
Posts: 39900
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK

### Re: SSL sockets for HTTP

Look at your laptop in more detail.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

All fake doctors are on my foes list.

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### Re: SSL sockets for HTTP

For what? All I can see is the keystore (it's self signed); here it is:

Code: Select all

C:\Program Files\Java\jre1.8.0_101\bin>keytool -v -list -keystore d:\home\pi\keystore.jks

Keystore type: JKS
Keystore provider: SUN

Alias name: selfsigned
Creation date: Nov 10, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Jos Horsmeier, OU=jwd2, O=jwd2, L=Voorschoten, ST=ZH, C=NL
Issuer: CN=Jos Horsmeier, OU=jwd2, O=jwd2, L=Voorschoten, ST=ZH, C=NL
Serial number: 130cdc4f
Valid from: Thu Nov 10 17:43:57 CET 2016 until: Sun Nov 05 17:43:57 CET 2017
Certificate fingerprints:
MD5:  48:66:47:EF:99:74:5D:A5:BF:51:9F:21:80:A7:CA:67
SHA1: D1:A3:6F:F5:61:1C:5C:A2:C9:4D:56:6B:C7:F2:81:56:C7:D0:BE:5B
SHA256: AE:90:00:C4:7A:91:60:15:06:46:40:C7:5C:88:7B:1A:47:B3:49:E4:1C:9D:5C:24:8E:50:60:35:75:48:C6:5E
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FF F7 BD E9 F1 42 55 43   D2 4B 73 11 3F 4E 90 9F  .....BUC.Ks.?N..
0010: 94 EA CF 1B                                        ....
]
]

*******************************************
*******************************************

It works fine on the laptop (where my HTTP server runs), but not so on my Pi/3; that's why I started this topic ...

kind regards,

Jos

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### Re: SSL sockets for HTTP

Maybe a small explanation is in order here: Java implements those secure sockets itself; i.e. it doesn't need that openssl layer at all; it can do that because secure sockets are implemented on top of ordinary TCP sockets.When a secure client socket wants to communicate with a secure server sockets, both sockets start a negotiation phase; if they both have a common certificate, communication starts. Those certificates are stored in a keystore and/or a truststore. The layer is written in a non-intrusive way, i.e. the server asks for a SSLServerSocket from a SSLServerSockerFactory; the factory takes care of all the stuff behind the scenes; the client starts a SSLSocket that binds to a SSLServerSocket; all the application needs to do is define two System.Properties that define the location of the keystore and its password (only needed by a server) On both of my laptops (one running Windows 10 and the other one running Linux (Mint)) this works fine but it doesn't work on my Pi/3 and I don't know where things go wrong and I don't know where to look ...

kind regards,

Jos

dm159
Posts: 4
Joined: Sun Nov 13, 2016 8:53 am

### Re: SSL sockets for HTTP

Have you tried importing Server Certificate in Client's Trust Store? If the application uses two way SSL Certificate Auth, you'll need to sign Client Certificate with same key (or some key that is in the same Tree as) the one that signed Server Cert.

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### Re: SSL sockets for HTTP

dm159 wrote:Have you tried importing Server Certificate in Client's Trust Store? If the application uses two way SSL Certificate Auth, you'll need to sign Client Certificate with same key (or some key that is in the same Tree as) the one that signed Server Cert.
But what to do if the server doesn't know who/what/where its client is in advance? That scenario wouldn't be unlikely for an HTTP server; negotiating which certificate to use (both) should be done at the start of binding/accepting the sockets.It works fine that way if I use two laptops in my tests; it's just my Pi that's acting up ...

kind regards,

Jos

JosAH
Posts: 66
Joined: Sat Nov 12, 2016 2:11 pm
Location: Voorschoten

### Re: SSL sockets for HTTP

I solved this nasty issue (at least for me); the system runs on a Raspberry Pi; it is an IoT thingy and handles a couple of other devices 'over the air' (read: 2.4GHz) and the micro controllers for those devices are way too small to handle ssl sockets; consequently that Pi has to handle ordinary sockets as well as an ssl server socket (for the outside world). After some experimenting (read: furious hacking with a lot of tobacco and espresso coffee and the occasional Grolsch beers), I noticed that a stand alone http server did work on that tiny Pi thingy, while it failed miserably (see all replies above) in my full system. I decided to initialize my hhtp server first, before anything else was initialized and: voila, the thing worked. I don't know the reason for it, because all those modules are more or less independent of each other ...

thanks to the folks that tried to help me and

kind regards,

Jos

ps. now I have to figure out what was in the way of those silly ssl sockets on that Pi.