3 liens privés
Generate a self certificate without adding altName with the IP can lead to an error
The reason this error in java 1.8.0_181 is because this update includes security improvements for LDAP support
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Java class to test SSL
Additional parameter :
-Djavax.net.debug=ssl,handshake
-Djavax.net.debug=ssl,manager
-Djavax.net.debug=all
Ajout de règle pour laisser le répertoire acme accessible
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Include /etc/apache2/sites/demo.conf
</VirtualHost>
<VirtualHost *:443>
Include /etc/apache2/sites/demo.conf
SSLEngine on
SSLCertificateFile /etc/ssl/certs/demo.signed.crt
SSLCertificateKeyFile /etc/ssl/private/demo.key
SSLCertificateChainFile /etc/ssl/certs/letsencrypt-root-intermediate.pem
</VirtualHost>
Construction des configurations SSL
Mapping IANA / OpenSSL :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 / ECDH-RSA-AES128-SHA256
Tel qu'utilisé sur https://www.ssllabs.com/ssltest
import SSL certificate to Java
echo -n | openssl s_client -connect www.example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt
show all certificates in PEM format
openssl s_client -showcerts -verify 5 -connect google.fr:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}"; mv "${cert}" "${newname}"
done
(http://hoab.fr/shaarli/?Ve3UZg)
keytool -import -trustcacerts -keystore /usr/local/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
see also :
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jnffe22999=2
$JAVA_HOME/bin/keytool -list -v -keystore ${JAVA_HOME}/lib/security/cacerts
Export public certificate :
keytool -export -alias certalias -keystore newkeystore.jks -file <public key name>.pem
Debug SSL :
-Djavax.net.debug=ssl,handshake
Get SSL certificate from command line :
openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
check also : http://shaarli.hoab.fr/?4rTEfA (openssl s_client using a proxy - Stack Overflow)
Récupération de certificat
proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000 & openssl s_client -connect localhost:7000 -showcerts