• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Certificate contains unsupported critical extensions: [2.5.29.17]

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Has anyone experienced this ?

I am connecting to a https site and get this exception:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]

This is very strange, because X509 Certificate extension 2.5.29.17 is a well known and documented extension which is mentioned in the javadocs for interface X509Extension, method getExtensionValue: extension 2.5.29.17 is the SubjectAlternativeName extension.

If I connect to the same site disabling certificate validation, I can download the certificate chain and display information on each certificate.

If I call the X509Extension method hasUnsupportedCriticalExtension() it returns false on each certificate on the chain. If I save the certificates of the chain in a keystore and open the keystore with Portecle (an opensource java GUI equivalent of the Keytool) I can see each extension of each certificate without any exceptions.

I have detected this problem first with JDK 1.4.2. Then I installed JDK 1.5 update 1 and found out that this same Exception was still occurring !

Has anybody seen this before ?
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!
Anyone solved this issue?
I get the same exception using JDK 1.4.2 and MS Active Directory 2003.
regards
Harald.
 
Miguel Oliveira
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I do not know if the problem has been solved. I have reported the bug in the Sun site, around the time I posted my message, but never got feed-back on it.

For the system that I was developing, there had to be a work around. The partner organisation holding the HTTPS server had to make the pragmatic decision of changing the server certificate in order to make that extension "non-critical", otherwise the communication would not work for all the clients written in Java. Recently when the system I had built (running under JDK 1.5) went into production we got again the same exception. They had made the "mistake" of issuing a new server production certificate with that extension set to "critical". When they changed to "non-critical" it worked.
 
Harald Roth
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you!
Now I'm using Kerberos implementation from Sun (

com.sun.security.auth.module.Krb5LoginModule

) instead of using SSL and it works.
regards
Harald.
 
Screaming fools! It's nothing more than a tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic