java.security.cert.CertificateException: Certificate data canot be processed

Question

I need some help to fix Certificate Exception in my project.I receive java.security.cert.CertificateException: Certificate data canot be processed Below is Environment details for the client application:

• My client application is deployed on IBM WebsphereApplicationServer(WAS)6.0
• Uses IBM JDK 1.4.2 built in with WAS 6.0

The 3rd party Webservice provider has recently upgraded to SHA-256. With above client setup I am receiving Handshake exception. We tried using Bouncy Castle jar for SHA-256 support. After this I see below exception when making a Webservice call:

 WebContainer : 0, SEND TLSv1 ALERT:  fatal, description = certificate_unknown                               
 WebContainer : 0, WRITE: TLSv1 Alert, length = 2                                                            
 WebContainer : 0, called closeSocket()                                                                      
 WebContainer : 0, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed  
 Exception javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed  
 Finalizer, called close()                                                                                   
 Finalizer, called closeInternal(true) 

The keystore and truststore I have is from default JDK version:

keyStore is: /usr/local/opt/was/was60/java/jre/lib/security/cacerts   
keyStore type is : jks                                                
init keystore                                                         
trustStore is: /usr/local/opt/was/was60/java/jre/lib/security/cacerts 
trustStore type is : jks  

Here is few more logs:

SystemErrR AxisFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
 faultSubcode:
 faultString: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed
 faultActor:
 faultNode:
 faultDetail:
        {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed
        at com.ibm.jsse2.bx.a(bx.java:114)
        at com.ibm.jsse2.by.a(by.java:24)
        at com.ibm.jsse2.by.a(by.java:444)
        at com.ibm.jsse2.w.a(w.java:281)
        at com.ibm.jsse2.w.a(w.java:105)
        at com.ibm.jsse2.v.a(v.java:25)
        at com.ibm.jsse2.by.a(by.java:272)
        at com.ibm.jsse2.by.m(by.java:198)
        at com.ibm.jsse2.by.startHandshake(by.java:68)
        at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
        at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
        at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
        at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
        at org.apache.axis.client.Call.invoke(Call.java:2767)
        at org.apache.axis.client.Call.invoke(Call.java:2443)
        at org.apache.axis.client.Call.invoke(Call.java:2366)
        at org.apache.axis.client.Call.invoke(Call.java:1812)
        at com.cingular.csi.CSI.Namespaces.v94.wsdl.CingularWirelessCSI_wsdl.InquireWirelineServiceAppointmentReservationsSoapHttpBindingStub.inquireWireline

Finally, few more points to note:

• Neither WAS nor JDK can be upgraded since, applications is stable.

• SocketFactory used is : com.ibm.jsse2.SSLSocketFactoryImpl

• Tried javax.net.SSLSocketFactoryImpl. It fails at SocketContext itself.

• Tried adding third party server certs to my truststore(cacerts) using keytool. It didn't work either.

• Also tried using DummyClientKeyFile.jks and DummyClientTrustFile.jks as Keystore and truststore files respectively instead of cacerts of JDK, but in vain.

I am stuck with this issue since more than two weeks now.Any help is appreciated.

Answer 1

IBM's 1.4.2 JVM does not support certificates signed with a SHA256 cipher. I raised a PMR to confirm this when we encountered this issue and the response was:

"You will need to revert to using older style ciphers or upgrade. We began supporting SHA 256 from Java 1.5 onward. It's not possible to back port the function."

If you find mentions of Java 1.4.2 supporting such certificates, check which vendor's JVM this relates to - its likely Oracle since their 1.4.2 JVM does support SHA256 signed certs.

Update

Your options for getting around this problem are:

1. upgrade to IBM's 1.5 JVM (or better!). If you're using Java 1.4.2 as part of an IBM product, e.g. WebSphere Application Server (v6) then you'll need to upgrade that too.
2. if you're not tied to IBM but must be on 1.4.2, try Oracle's 1.4.2 JVM
3. use forward proxying. This involves connecting to the proxy, the proxy terminating the SSL connection then opening a second connection out to the final destination. The proxy becomes a man-in-the-middle, so there are security issues to consider here (e.g. PCI DSS compliance if you're sending payment card data).
4. a variation of #3 involves having a firewall do this transparently.