Tag Archives: ssl

Using keystore in JAVA for Self-Signed SSL certificates

screenshot.2016-03-12
You may observe the next error when working with domains with self-signed certificate:

sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

In this case you have to do next steps to allow java program trust to the given domain:

1. Get SSL certiicate for domain:

openssl s_client -connect somedomain.com:443 > cert1.cert

2. Generate java keystore:

D:\runtime\jdk8u45x64\bin\keytool -import -v -trustcacerts 
-file cert1.cert -keystore cacerts1.jks 
-alias somealias -keypass "changeit" -storepass "changeit"

Type “yes” when promts to accept certificate.

3. Add JVM arguments to your program:

-Djavax.net.ssl.trustStore="D:\projects\my\cacerts3.jks"
-Djavax.net.ssl.trustStorePassword="changeit"

4. (Optional) debug arguments:

-Djava.security.debug=certpath
-Djavax.net.debug=trustmanager

Also available java arguments (in case of self signed certificates not useful):

-Djavax.net.ssl.keyStore="D:\projects\my\cacerts3.jks"
-Djavax.net.ssl.keyStorePassword="changeit"

Thanx to:
https://www.javacodegeeks.com/2014/07/java-keystore-tutorial.html
https://docs.oracle.com/cd/E29585_01/PlatformServices.61x/security/src/csec_ssl_jsp_start_server.html
http://stackoverflow.com/a/20190493
https://github.com/denimgroup/threadfix/wiki/Importing-Self-Signed-Certificates

OwnCloud connection to server error

Owncloud-logo
The OwnCloud is great replacement of google, yandex, dropbox disks. It is really useful and convenient tool to manage your private data.

There are few ways to connect to you server:
- web dav directly from OS
- browser access
- iOS/Android mobile OS

If you OwnCloud service is behind the Nginx server with SSL protection, you can see the next error when access from mobile client:

it is not possible to connect to the server at this time

After spending few days in searching the solution on forum https://forum.owncloud.org no one fix helped.

I paid attention in Admin panel on “Security & setup warnings” section:

The "Strict-Transport-Security" HTTP header 
is not configured to least "15768000" seconds. 
For enhanced security we recommend enabling HSTS 
as described in our security tips.

So, go ahead!

Just add the header to Nginx config (Strict-Transport-Security):

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Restart Nginx and voila – mobile client will ask you to accept SSL certificate!

Generating SSL certificate

ssl
To apply SSL connection in your server you have to use SSL certificate.
Here are the steps to create Self-Signed SSL certificate:

1. Install openssl.

yum install -y openssl

2. Create shell script add_ssl.sh:

#!/bin/bash
set -e

prefix=$1

# Generate private key
openssl genrsa -out $prefix.key 2048

# Generate CSR
echo -e "[LOCALE]\n[COUNTRY]\n[CITY]\n[COMPANY]\nSSL\n$prefix\n[EMAIL]\n\n\n\n" \
	| (openssl req -new -key $prefix.key -out $prefix.csr)

# Generate Self Signed Key
openssl x509 -req -days 365 -in $prefix.csr -signkey $prefix.key -out $prefix.crt

# Copy the files to the correct locations
mv $prefix.crt /etc/ssl
mv $prefix.key /etc/ssl
mv $prefix.csr /etc/ssl

Replace [LOCALE], [COUNTRY], [CITY], [COMPANY], [EMAIL] with your values.

3. Run script example:

./add_ssl.sh gik.firetrot.com

Digital Signature explanation

The security is very important concept today for all type of systems. So, we have to know how to protect your data from theft, hijacking, etc.
Encryption is reversible conversion of data to hide payload from other reading.

The are two types of encryption algorithms:
1. Symmetric Encryption (Private-key (or secret-key) cryptography).
priv-key
Uses the same key for encryption and decryption of message.

2. Asymmetric Encryption (Public-key cryptography).
pub-key
Uses public key for encryption and private key for decryption of message.

 

The payload messages usually use digital signature for protection. Explanation of how the digital signature works below in a few steps:

1. Angela wants to send a message to Hugo.
1

 

2. Angela request a certificate from Certification Center.
2

 

3. Certification Center sends a certificate with public-private key pair.
3

 

4. Angela calculates hash of message. Encrypts obtained hash with private key – this is a Digital Signature! And attach DS to message.
4

 

5. Angela sends DS, Message and certificate to Hugo.
5

 

6. Hugo decrypts digital signature with public key. Take a hash from Message. Then, he checks decrypted value and hash for equality. If values are equal – message is valid and it can be read, otherwise – message is invalid!
6

 

See also,
https://en.wikipedia.org/wiki/Symmetric-key_algorithm
https://en.wikipedia.org/wiki/Public-key_cryptography
http://en.wikipedia.org/wiki/Digital_signature
https://en.wikipedia.org/wiki/Hash_function

http://en.kioskea.net/contents/130-private-key-or-secret-key-cryptography
http://en.kioskea.net/contents/131-public-key-systems