PQ82944: SSLHANDSHAKEEXCEPTION, SSL CONNECTION, X509V3 CERTIFICATE EXTENSIONS, JSSE

 A fix is available

WebSphere Application Server_Security_JSSE_cumulative_Fix



APAR status
Closed as program error.

Error description
The customer received this error when trying to establish an SSL
connection, using JSSE, to a server that utilizes a certificate
with X509v3 certificate extensions.  The program running on the
WebSphere application server is the "client".  The customer
receives the following error:
Error: javax.net.ssl.SSLHandshakeException: unknown certificate
javax.net.ssl.SSLHandshakeException:unknown cerificate
  at com.ibm.jsse.JSSESocket.install(Unknown Source)
  at com.ibm.jsse.JSSESocket.startHandshake (Unknown Source)
  at com.ibm.net.ssl.internal.www.protocol.https.n.e(Unknown
     Source)
This problem was fixed with the JSSE build dated 12/13/03.  The
Hursley defect number was 67033.
IBMJSSE Defect:82996 - javax.net.ssl.SSLHandshakeException:
unknown certificate on 1.3.x, when there is a critical extended
key usage extension on the leaf certificate to authenticate the
server a javax.net.ssl.SSLHandshakeException: unknown
certificate will be thrown.  For 1.3.x, will not check to see if
there are any other critical extensions.
The latest IBMJSSE jar can be found on the IBM JIM site:
w3.ibm.com/java
The customer is running WAS 4.0.7 on Solaris 8.
Local fix
Customer is currently running with a temporary ibmjsse.jar file
that they received from the JSSE team.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users who   *
*                 have enabled security and/or are attempting  *
*                 to programatically establish SSL             *
*                 connections and are using certificates with  *
*                 X509v3 certificate extensions in their       *
*                 trust or key stores.                         *
****************************************************************
* PROBLEM DESCRIPTION: "javax.net.ssl.SSLHandshakeException:   *
*                      unknown certificate" when using         *
*                      certificates with X509v3 certificate    *
*                      extensions.                             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
"javax.net.ssl.SSLHandshakeException: unknown certificate" when
using certificates with X509v3 certificate extensions.
Problem conclusion
Issue is resolved in the 12-13-2003 JSSE build which has been
integrated into WebSphere.
Temporary fix Comments
APAR information
APAR number PQ82944
Reported component name WEBSPHERE AE SO
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2004-01-07
Closed date 2004-02-03
Last modified date 2004-02-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
security          

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ82944
IBM Group: Software Group
Modified date: Feb 3, 2004