java SSL cert import

Java

Sziasztok,

SSL certeket szeretnek keystoreba importalni mysql kapcsolathoz, ami sikeresen le is zajlik, (mindjart meg is osztom hogyan teszem), viszont csatlakozaskoz elhasal az app.
Tobb modszert is kiprobaltam(igen, az official doksit is), de az utolso problakozasom ez volt:
importaltam a truststoreba a ca-cert.pem-et
keytool -import -alias mysqlclient -file ca-cert.pem -keystore truststore -storepass jelszo -deststoretype JKS
majd csinaltam egy kompatibilis pkcs12-ot a keystore-hoz
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -certfile client-cert.pem -name "mysqlclient" -out client.p12
es importaltam
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore keystore -storepass jelszo -alias mysqlclient -deststoretype JKS

A hiba minden esetben ugyan az(vagy legalabbis annak tunik):
Connecting to a selected database...
keyStore is :/cert/keystore
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : mysqlclient
chain [0] = [
[
Version: V1
Subject: EMAILADDRESS=email@cimem.com, CN=p3, OU=Unix, O=NI, L=Dublin, ST=Dub, C=IE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 512 bits
modulus: 8958952146610513163934078352840413874679965202290478841711894627557179923643321055537494190146495406229376032830420079772253820167981129937834534592971361
public exponent: 65537
Validity: [From: Tue Jan 20 15:59:34 GMT 2015,
To: Thu Nov 28 15:59:34 GMT 2024]
Issuer: EMAILADDRESS=email@cimem.com, CN=p1, OU=Unix, O=NI, L=Austin, ST=Tx, C=US
SerialNumber: [ 01]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 04 83 0C CF 9B B8 3D 43 B3 E4 54 B8 64 2A DE BC ......=C..T.d*..
0010: FA CE 2D 6F E8 01 AA 5A 06 88 C4 22 EA A2 93 CD ..-o...Z..."....
0020: 4A F7 CB B4 C4 BB EC 54 1A 29 3D 98 B4 CA 95 7B J......T.)=.....
0030: C8 D5 3B 0E 92 A4 F6 1D 34 38 AE F0 46 92 7D F7 ..;.....48..F...

]
***
trustStore is: /cert/truststore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=email@cimem.com, CN=p1, OU=Unix, O=NI, L=Austin, ST=Tx, C=US
Issuer: EMAILADDRESS=email@cimmem.com, CN=p1, OU=Unix, O=NI, L=Austin, ST=Tx, C=US
Algorithm: RSA; Serial number: 0x985f5e5af38153ad
Valid from Tue Jan 20 15:55:45 GMT 2015 until Thu Nov 28 15:55:45 GMT 2024

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1405083525 bytes = { 238, 19, 20, 129, 130, 185, 141, 77, 192, 55, 24, 1, 74, 62, 147, 62, 177, 35, 64, 184, 157, 44, 62, 202, 73, 76, 176, 142 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes: len = 149
0000: 01 00 00 91 03 01 54 C0 E0 85 EE 13 14 81 82 B9 ......T.........
0010: 8D 4D C0 37 18 01 4A 3E 93 3E B1 23 40 B8 9D 2C .M.7..J>.>.#@..,
0020: 3E CA 49 4C B0 8E 00 00 2A C0 09 C0 13 00 2F C0 >.IL....*...../.
0030: 04 C0 0E 00 33 00 32 C0 07 C0 11 00 05 C0 02 C0 ....3.2.........
0040: 0C C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 00 ................
0050: 04 00 FF 01 00 00 3E 00 0A 00 34 00 32 00 17 00 ......>...4.2...
0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................
0070: 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 ................
0080: 11 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 ................
0090: 0B 00 02 01 00 .....
main, WRITE: TLSv1 Handshake, length = 149
[Raw write]: length = 154
0000: 16 03 01 00 95 01 00 00 91 03 01 54 C0 E0 85 EE ...........T....
0010: 13 14 81 82 B9 8D 4D C0 37 18 01 4A 3E 93 3E B1 ......M.7..J>.>.
0020: 23 40 B8 9D 2C 3E CA 49 4C B0 8E 00 00 2A C0 09 #@..,>.IL....*..
0030: C0 13 00 2F C0 04 C0 0E 00 33 00 32 C0 07 C0 11 .../.....3.2....
0040: 00 05 C0 02 C0 0C C0 08 C0 12 00 0A C0 03 C0 0D ................
0050: 00 16 00 13 00 04 00 FF 01 00 00 3E 00 0A 00 34 ...........>...4
0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2..............
0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................
0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ................
0090: 00 08 00 16 00 0B 00 02 01 00 ..........
[Raw read]: length = 5
0000: 16 00 00 02 FF .....
main, handling exception: javax.net.ssl.SSLException: Unsupported record version Unknown-0.0
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
com.mysql.jdbc.CommunicationsException: Communications link failure due to underlying exception:

** BEGIN NESTED EXCEPTION **

javax.net.ssl.SSLException
MESSAGE: Unsupported record version Unknown-0.0

STACKTRACE:

javax.net.ssl.SSLException: Unsupported record version Unknown-0.0
at sun.security.ssl.InputRecord.readV3Record(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:72)
at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4290)
at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1249)
at com.mysql.jdbc.Connection.createNewIO(Connection.java:2572)
at com.mysql.jdbc.Connection.(Connection.java:1485)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:266)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at JTreeEvents.(empireSod.java:150)
at empireSod.main(empireSod.java:109)

** END NESTED EXCEPTION **

Amugy a certek mukodnek leoprabltak, csak ez a franya keystore buktat el...
Johetnek az eletszeru tapasztalatok :)