Test of java SSL / keystore / cert setup. Check the commet #1 for howto.

SSLPoke.java

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) {
        if (args.length != 2) {
            System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
            System.exit(1);
        }
        try {
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

            InputStream in = sslsocket.getInputStream();
            OutputStream out = sslsocket.getOutputStream();

            // Write a test byte to get a reaction :)
            out.write(1);

            while (in.available() > 0) {
                System.out.print(in.read());
            }
            System.out.println("Successfully connected");

        } catch (Exception exception) {
            exception.printStackTrace();
        }
    }
}

Test of java SSL / keystore / cert setup. Came from https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java

Usage:

1. extract cert from server:
   openssl s_client -connect server:443
2. negative test cert / keytool:
   java SSLPoke server 443
   you should get something like
   javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
3. import cert into default keytool:
   keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts
4. positive test cert / keytool:
   java SSLPoke server 443
   you should get this:
   Successfully connected

Thanks! Helped us to debug a cert issue.

Doesn't seems work as I thought it should work. it doesn't check if the server certificate is matching with the parameter.

example:

java SSLPoke ip.address.of.sslserver 443
Successfully connected

So it doesn't really check the certificate?

@jackchen858 +1 It does not

It did not work for me.

I always get Successfully connected msg

Make sure you run this with the right java in case you have multiple installations

Works brilliantly. Thanks

Thanks a lot. Followed your instructions. Fix worked perfectly.

How to use it behind a proxy ?

For those not living in the Java World here is how I compiled and used this:

• Copy code to somewhere
• Call Java compiler /usr/java/jdk1.6.0_45/bin/javac /tmp/SSLPoke.java (use your version of Java here)
• Call tool with ClassPath (-cp) that you copied the file to: /usr/java/jdk1.6.0_45/bin/java -cp /tmp SSLPoke my-url.com 443

Very useful thanks.

A note however, instead of updating the java JRE/JDK installation's keystore, best practices dictates that you should define your own truststore (if you have company CA or application certificates for example):

# import certificate into your local TrustStore
keytool -import -trustcacerts -storepass changeit -file "./class 1 root ca.cer" -alias C1_ROOT_CA -keystore ./LocalTrustStore
# use it in JAVA:
java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT

Will the default trustStore be overwritten by -Djavax.net.ssl.trustStore or is the new trustStore an addition to the default one? @Tzaphkiel

Thanks for sharing. When I try the negative test , I have the exception :

javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
at SSLPoke.main(SSLPoke.java:23)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.DHCrypt.(DHCrypt.java:114)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at com.sun.net.ssl.internal.ssl.DHCrypt.(DHCrypt.java:107)

Any idea why I have this ? Another thing can you tell me how I can generate a certificate file from a server ?

@jmara -Djavax.net.ssl.trustStore will override the default truststore (cacerts). You can copy the default one and then add your cert and set it via -Djavax.net.ssl.trustStore so you don't lose the default CAs.

Works well! Thanks

P.S. If you don't use the default keystore, you'll need to pass it and the password for the keystore into your command as arguments.