Notes on HTTPS, SSL, Certificates and Around it

Research and study Notes on HTTPS, SSL, Certificates and Around it

SNI – Server name Indication – Enables multiple certs on the one IP address

Public Key Pinning , Ensures a client will only accept predefined certs

SAN – Subject Alternative Name : combine multiple domain names on the one cert

PFS : Perfect Forward Secrecy : Protects past sessions, against future key compromise

DNSSEC : Domain Name System Security Extensions – Protects against forged DNS Records

DANE : DNS Based Authentication of Named Entities – Specified the cert keys at DNS level

Certificate Authority Authorization – Specified allowable CAs for the domain at the DNS level

CRL Certificate Revocation List – List of revoked certificates maintained by the CA

OCSP : Online Certificates Status Protocol : List of revoked certificates maintained by the CA

PKP – Public Key Pinning : Ensures a client will only accept predefined certs

 

PKP,

Defines the public keys are allowed , Specifies the max age ,

Defines whether it applies to subdomains

Facilitates reporting of violations

SSL Labs

Extended validation certificates

HTTPS

 

Code :

https://github.com/zephyrdeveloper

Used this one : apache-tomcat-9.0.1.tar.gz

Finally this one worked : https://dzone.com/articles/setting-ssl-tomcat-5-minutes

All Concepts of Certificate :

http://blog.palominolabs.com/2011/10/18/java-2-way-tlsssl-client-certificates-and-pkcs12-vs-jks-keystores/index.html

Posted my doubt here :

https://stackoverflow.com/questions/46625183/ssl-tls-communication-not-happening-with-tomcat-server-on-using-self-signed-cert

Keytool Command to See the Certificate Contents : keytool -list -keystore sumitcert

Keytool Available Directory : /apache-tomcat-9.0.1/bin

Certificate Generation :

eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ keytool -genkey -alias sumit -keyalg RSA -keystore sumitcert
eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ keytool -genkey -alias sumit -keyalg RSA -keystore sumitcert

Enter keystore password:  
Re-enter new password: 
What is your first and last name?  [Unknown]:  Sumit Arora
What is the name of your organizational unit?  
[Unknown]:  Japan  
What is the name of your organization?  [Unknown]:  Russia
What is the name of your City or Locality?  
[Unknown]:  Delhi
What is the name of your State or Province?  
[Unknown]:  Rohita
What is the two-letter country code for this unit?  
[Unknown]:  RA
Is CN=Sumit Arora, OU=Japan, O=Russia, L=Delhi, ST=Rohita, C=RA correct?  
[no]:  yes
Enter key password for <sumit> (RETURN if same as keystore password):  
Re-enter new password: 
eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ ls


eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ keytool -list -keystore sumitcert
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

sumit, 6 Oct, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 17:F4:0A:C2:2A:AA:B4:52:9C:0F:B1:FA:3C:6E:F9:4E:FC:87:B7:C5
eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$

Configuration :

// See the Path of File

<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false”
disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″
port=”8443″ keystoreFile=”/Users/eSumit/Documents/ApacheTomcat/Apache9-0/certdir/sumitcert.jks” keystorePass=”sumit123″
protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https”
secure=”true” sslProtocol=”TLS” />

Or

<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false”
disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″
port=”8443″ keystoreFile=”../certdir/sumitcert.jks” keystorePass=”sumit123″
protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https”
secure=”true” sslProtocol=”TLS” />

<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

 

Remember two different configurations :

See this :https://stackoverflow.com/questions/3078810/what-is-the-difference-between-apr-implementation-of-ssl-and-jsse-implementation

  1. NIO implementation

2. APR/native implementation which always uses
OpenSSL for TLS

 

–>
<!– Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
–>
<!–
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”
maxThreads=”150″ SSLEnabled=”true”>
<SSLHostConfig>
<Certificate certificateKeystoreFile=”conf/localhost-rsa.jks”
type=”RSA” />
</SSLHostConfig>
</Connector>
–>

<!– Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
–>
<!–
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11AprProtocol”
maxThreads=”150″ SSLEnabled=”true” >
<UpgradeProtocol className=”org.apache.coyote.http2.Http2Protocol” />
<SSLHostConfig>
<Certificate certificateKeyFile=”conf/localhost-rsa-key.pem”
certificateFile=”conf/localhost-rsa-cert.pem”
certificateChainFile=”conf/localhost-rsa-chain.pem”
type=”RSA” />
</SSLHostConfig>
</Connector>

 

Tomcat HTTPS :

http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

 

We only created certificate file, not created private key ?

https://stackoverflow.com/questions/2640691/how-to-export-private-key-from-a-keystore-of-self-signed-certificate

Difference between KeyStore and TrustStore

http://javarevisited.blogspot.in/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html

How to make sure that now tomcat server should only work on HTTPS , not on HTTP, so for that a configuration required.

 

Keytool Commands Executions :

 

eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l keyttoleSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l keyttolls: keyttol: No such file or directoryeSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l keytool-rwxrwxr-x  1 root  wheel   101K Apr 10  2015 keytool*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l /usr/bin/keytoollrwxr-xr-x  1 root  wheel    77B Dec 19  2016 /usr/bin/keytool@ -> /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytooleSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytool-rwxr-xr-x  1 root  wheel    57K Dec 13  2016 /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytool*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ lsjava*        jjs*         keytool*     orbd*        pack200*     policytool*  rmid*        rmiregistry* servertool*  tnameserv*   unpack200*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ keytool -genkey -alias sumit -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/serverkey.jks Enter keystore password:  keytool error: java.lang.Exception: Key pair not generated, alias already existseSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ keytool -genkey -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks Enter keystore password:  Re-enter new password: What is your first and last name?  [Unknown]:  Sumit AroraWhat is the name of your organizational unit?  [Unknown]:  SumitWhat is the name of your organization?  [Unknown]:  SumitWhat is the name of your City or Locality?  [Unknown]:  SumitWhat is the name of your State or Province?  [Unknown]:  SumitWhat is the two-letter country code for this unit?  [Unknown]:  SuIs CN=Sumit Arora, OU=Sumit, O=Sumit, L=Sumit, ST=Sumit, C=Su correct?  [no]:  yes
Enter key password for <london> (RETURN if same as keystore password):  eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ keytool -certreq -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks -file londonkey.csrEnter keystore password:  keytool error: java.io.FileNotFoundException: londonkey.csr (Permission denied)eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ sudo keytool -certreq -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks -file londonkey.csrPassword:Enter keystore password:  eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ sudo keytool -export -alias london -file londonkey.crt -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks Password:Enter keystore password:  Certificate stored in file eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ lsjava*          keytool*       londonkey.csr  pack200*       rmid*          servertool*    unpack200*jjs*           londonkey.crt  orbd*          policytool*    rmiregistry*   tnameserv*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ sudo keytool -import -alias london  -keystore ../lib/security/cacert -trustcacerts -file londonkey.crtPassword:Enter keystore password:  Re-enter new password: Owner: CN=Sumit Arora, OU=Sumit, O=Sumit, L=Sumit, ST=Sumit, C=SuIssuer: CN=Sumit Arora, OU=Sumit, O=Sumit, L=Sumit, ST=Sumit, C=SuSerial number: 7b5df08cValid from: Sat Oct 07 21:55:51 IST 2017 until: Fri Jan 05 21:55:51 IST 2018Certificate fingerprints: MD5:  EC:31:D2:27:57:73:90:9A:C7:EC:C7:B0:E1:2C:5F:5C SHA1: 93:82:A0:7F:D6:8C:8B:56:DB:FE:F8:9B:8A:FA:DD:FF:3F:70:3F:9A SHA256: 5C:08:A1:AC:A0:CD:10:68:57:CC:DF:80:02:EB:B2:1D:89:FB:5D:5B:92:C4:46:EA:79:BE:F4:D4:7C:28:E1:1B Signature algorithm name: SHA256withRSA Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 0D EE A4 E6 BC C3 B1 6A   52 B4 59 7B 7E C9 51 BD  …….jR.Y…Q.0010: B1 D1 E1 1D                                        ….]]
Trust this certificate? [no]:  yesCertificate was added to keystoreeSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ where openssl-bash: where: command not found

Basics:

Difference between HTTPS and SSL

https://stackoverflow.com/questions/6093430/difference-between-https-and-ssl?rq=1

Apache Web-Server SSL Authentication

https://linuxconfig.org/apache-web-server-ssl-authentication

Disable Certificate Validation in Java SSL Connections

http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/

KeyTool Commands :

keytool -genkey -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks

keytool -certreq -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks -file londonkey.csr

keytool -export -alias london -file londonkey.crt -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks

keytool -export -alias london -file londonkey.crt -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks

CSR means Certificate Signing Request

http://hc.apache.org/httpclient-3.x/sslguide.html

Important : Java client certificates over HTTPS/SSL

https://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl

https://alvinalexander.com/blog/post/java/simple-https-example

http://www.java-samples.com/showtutorial.php?tutorialid=1343

https://dzone.com/articles/mutual-problems

https://github.com/zxyy-bys/httpsclient/blob/master/app/src/main/java/com/example/baiyongshu/httpsclient/Https_async.java

https://github.com/AndrewStoliarov/HttpsClient/blob/master/src/module/HttpsClient.java

https://github.com/zmacdonald/HttpsClient/blob/master/src/HttpsClient.java

http://www.herongyang.com/JDK/HTTPS-Client-Test-Program-HttpsClient.html

https://github.com/amusarra/http-ssl-client-example/blob/master/src/main/java/it/dontesta/blog/ssl/HTTPSClientExample.java

Another Important Stuff on Apache CXF Java

https://radu.cotescu.com/java-https-rest-services-apache-cxf/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s